Specifications
PKCS#11 Version
| Primus PKCS#11 API Provider Version | PKCS#11 Standard Version |
|---|---|
| 2.1.1 | 3.0 (partial) |
| 2.2.0 | 3.0 |
| 2.6.2 | 3.2 |
Supported Mechanisms
| Mechanism | Key Size Min | Key Size Max | Mechanism Information Flags |
|---|---|---|---|
| CKM_RSA_PKCS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY | CKF_WRAP | CKF_UNWRAP |
| CKM_RSA_PKCS_KEY_PAIR_GEN | 1024 | 8192 | CKF_HW | CKF_GENERATE_KEY_PAIR |
| CKM_RSA_PKCS_OAEP | 1024 | 8192 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP |
| CKM_RSA_PKCS_PSS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_RSA_X_509 | 1024 | 8192 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY | CKF_WRAP | CKF_UNWRAP |
| CKM_MD5_RSA_PKCS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_RIPEMD160_RSA_PKCS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA1_RSA_PKCS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA1_RSA_PKCS_PSS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA224_RSA_PKCS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA224_RSA_PKCS_PSS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA256_RSA_PKCS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA256_RSA_PKCS_PSS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA384_RSA_PKCS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA384_RSA_PKCS_PSS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA512_RSA_PKCS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA512_RSA_PKCS_PSS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA3_224_RSA_PKCS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA3_224_RSA_PKCS_PSS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA3_256_RSA_PKCS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA3_256_RSA_PKCS_PSS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA3_384_RSA_PKCS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA3_384_RSA_PKCS_PSS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA3_512_RSA_PKCS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA3_512_RSA_PKCS_PSS | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_DSA_KEY_PAIR_GEN | 1024 | 8192 | CKF_HW | CKF_GENERATE_KEY_PAIR |
| CKM_DSA_PARAMETER_GEN | 1024 | 3072 | CKF_HW | CKF_GENERATE |
| CKM_DSA_SHA1 | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_DSA_SHA224 | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_DSA_SHA256 | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_DSA_SHA384 | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_DSA_SHA512 | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_DSA_SHA3_224 | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_DSA_SHA3_256 | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_DSA_SHA3_384 | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_DSA_SHA3_512 | 1024 | 8192 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_EC_KEY_PAIR_GEN | 224 | 521 | CKF_HW | CKF_GENERATE_KEY_PAIR | CKF_EC_F_P | CKF_EC_ECPARAMETERS | CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS | CKF_EC_COMPRESS |
| CKM_ECDSA | 224 | 521 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_ECDSA_SHA1 | 224 | 521 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_ECDSA_SHA224 | 224 | 521 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_ECDSA_SHA256 | 224 | 521 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_ECDSA_SHA384 | 224 | 521 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_ECDSA_SHA512 | 224 | 521 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_ECDSA_SHA3_224 | 224 | 521 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_ECDSA_SHA3_256 | 224 | 521 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_ECDSA_SHA3_384 | 224 | 521 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_ECDSA_SHA3_512 | 224 | 521 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_EC_EDWARDS_KEY_PAIR_GEN | 256 | 448 | CKF_HW | CKF_GENERATE_KEY_PAIR |
| CKM_EDDSA | 256 | 448 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_DH_PKCS_KEY_PAIR_GEN | 1024 | 8192 | CKF_HW | CKF_GENERATE_KEY_PAIR |
| CKM_DH_PKCS_PARAMETER_GEN | 1024 | 1024 | CKF_HW | CKF_GENERATE |
| CKM_DH_PKCS_DERIVE | 1024 | 8192 | CKF_HW | CKF_DERIVE |
| CKM_X9_42_DH_KEY_PAIR_GEN | 1024 | 8192 | CKF_HW | CKF_GENERATE_KEY_PAIR |
| CKM_X9_42_DH_PARAMETER_GEN | 1024 | 3072 | CKF_HW | CKF_GENERATE |
| CKM_X9_42_DH_DERIVE | 1024 | 8192 | CKF_HW | CKF_DERIVE |
| CKM_ECDH1_DERIVE | 224 | 521 | CKF_HW | CKF_DERIVE |
| CKM_AES_KEY_GEN | 16 | 32 | CKF_HW | CKF_GENERATE |
| CKM_AES_ECB | 16 | 32 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP |
| CKM_AES_CBC | 16 | 32 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP |
| CKM_AES_CBC_PAD | 16 | 32 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP |
| CKM_AES_GCM | 16 | 32 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT |
| CKM_AES_CTR | 16 | 32 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT |
| CKM_AES_MAC | 16 | 32 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_AES_CMAC | 16 | 32 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_AES_GMAC | 16 | 32 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_AES_KEY_WRAP | 16 | 32 | CKF_HW | CKF_WRAP | CKF_UNWRAP |
| CKM_AES_KEY_WRAP_PAD | 16 | 32 | CKF_HW | CKF_WRAP | CKF_UNWRAP |
| CKM_AES_ECB_ENCRYPT_DATA | 16 | 32 | CKF_HW | CKF_DERIVE |
| CKM_AES_CBC_ENCRYPT_DATA | 16 | 32 | CKF_HW | CKF_DERIVE |
| CKM_CAMELLIA_KEY_GEN | 16 | 32 | CKF_HW | CKF_GENERATE |
| CKM_CAMELLIA_ECB | 16 | 32 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT |
| CKM_CAMELLIA_CBC | 16 | 32 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT |
| CKM_CAMELLIA_CBC_PAD | 16 | 32 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT |
| CKM_CAMELLIA_MAC | 16 | 32 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_DES2_KEY_GEN | 16 | 16 | CKF_HW | CKF_GENERATE |
| CKM_DES3_KEY_GEN | 24 | 24 | CKF_HW | CKF_GENERATE |
| CKM_DES3_ECB | 16 | 24 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP |
| CKM_DES3_CBC | 16 | 24 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP |
| CKM_DES3_CBC_PAD | 16 | 24 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP |
| CKM_DES3_CMAC | 16 | 24 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_DES3_ECB_ENCRYPT_DATA | 16 | 24 | CKF_HW | CKF_DERIVE |
| CKM_DES3_CBC_ENCRYPT_DATA | 16 | 24 | CKF_HW | CKF_DERIVE |
| CKM_MD5 | 0 | 0 | CKF_HW | CKF_DIGEST |
| CKM_RIPEMD160 | 0 | 0 | CKF_HW | CKF_DIGEST |
| CKM_SHA_1 | 0 | 0 | CKF_HW | CKF_DIGEST |
| CKM_SHA224 | 0 | 0 | CKF_HW | CKF_DIGEST |
| CKM_SHA256 | 0 | 0 | CKF_HW | CKF_DIGEST |
| CKM_SHA384 | 0 | 0 | CKF_HW | CKF_DIGEST |
| CKM_SHA512 | 0 | 0 | CKF_HW | CKF_DIGEST |
| CKM_SHA3_224 | 0 | 0 | CKF_HW | CKF_DIGEST |
| CKM_SHA3_256 | 0 | 0 | CKF_HW | CKF_DIGEST |
| CKM_SHA3_384 | 0 | 0 | CKF_HW | CKF_DIGEST |
| CKM_SHA3_512 | 0 | 0 | CKF_HW | CKF_DIGEST |
| CKM_MD5_HMAC | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_RIPEMD160_HMAC | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA_1_HMAC | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA224_HMAC | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA256_HMAC | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA384_HMAC | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA512_HMAC | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA3_224_HMAC | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA3_256_HMAC | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA3_384_HMAC | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SHA3_512_HMAC | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_CHACHA20 | 32 | 32 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT |
| CKM_CHACHA20_KEY_GEN | 32 | 32 | CKF_HW | CKF_GENERATE |
| CKM_POLY1305 | 32 | 32 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_POLY1305_KEY_GEN | 32 | 32 | CKF_HW | CKF_GENERATE |
| CKM_CHACHA20_POLY1305 | 32 | 32 | CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT |
| CKM_GENERIC_SECRET_KEY_GEN | 16 | 8192 | CKF_HW | CKF_GENERATE |
| CKM_KEY_SPLIT | 0 | 0 | CKF_HW | CKF_DERIVE |
| CKM_SHA1_KEY_DERIVATION | 0 | 0 | CKF_HW | CKF_DERIVE |
| CKM_SHA224_KEY_DERIVATION | 0 | 0 | CKF_HW | CKF_DERIVE |
| CKM_SHA256_KEY_DERIVATION | 0 | 0 | CKF_HW | CKF_DERIVE |
| CKM_SHA384_KEY_DERIVATION | 0 | 0 | CKF_HW | CKF_DERIVE |
| CKM_SHA512_KEY_DERIVATION | 0 | 0 | CKF_HW | CKF_DERIVE |
| CKM_SP800_108_COUNTER_KDF | 16 | 4096 | CKF_HW | CKF_DERIVE |
| CKM_SP800_108_FEEDBACK_KDF | 16 | 4096 | CKF_HW | CKF_DERIVE |
| CKM_SP800_108_DOUBLE_PIPELINE_KDF | 16 | 4096 | CKF_HW | CKF_DERIVE |
| CKM_PKCS5_PBKD2 | 0 | 0 | CKF_HW | CKF_GENERATE |
| CKM_EC_SLIP10_KEY_PAIR_GEN | 256 | 256 | CKF_HW | CKF_GENERATE_KEY_PAIR | CKF_EC_F_P | CKF_EC_ECPARAMETERS | CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS | CKF_EC_COMPRESS |
| CKM_EC_EDWARDS_SLIP10_KEY_PAIR_GEN | 256 | 256 | CKF_HW | CKF_GENERATE_KEY_PAIR |
| CKM_SLIP10_CHILD_DERIVE | 0 | 0 | CKF_HW | CKF_DERIVE |
Supported PQC Mechanisms
The following PQC mechanisms were added in provider version 2.6.2. These are defined in the PKCS#11 standard v3.2.
| Mechanism | Key Size Min | Key Size Max | Mechanism Information Flags |
|---|---|---|---|
| CKM_HSS_KEY_PAIR_GEN | 0 | 0 | CKF_HW | CKF_GENERATE_KEY_PAIR |
| CKM_HSS | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_XMSS_KEY_PAIR_GEN | 0 | 0 | CKF_HW | CKF_GENERATE_KEY_PAIR |
| CKM_XMSS | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_ML_DSA_KEY_PAIR_GEN | 0 | 0 | CKF_HW | CKF_GENERATE_KEY_PAIR |
| CKM_ML_DSA | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_ML_DSA | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_ML_DSA_SHA224 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_ML_DSA_SHA256 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_ML_DSA_SHA384 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_ML_DSA_SHA512 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_ML_DSA_SHA3_224 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_ML_DSA_SHA3_256 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_ML_DSA_SHA3_384 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_ML_DSA_SHA3_512 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_ML_DSA_SHAKE128 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_ML_DSA_SHAKE256 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_SLH_DSA_KEY_PAIR_GEN | 0 | 0 | CKF_HW | CKF_GENERATE_KEY_PAIR |
| CKM_SLH_DSA | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_SLH_DSA | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_SLH_DSA_SHA224 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_SLH_DSA_SHA256 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_SLH_DSA_SHA384 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_SLH_DSA_SHA512 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_SLH_DSA_SHA3_224 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_SLH_DSA_SHA3_256 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_SLH_DSA_SHA3_384 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_SLH_DSA_SHA3_512 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_SLH_DSA_SHAKE128 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_HASH_SLH_DSA_SHAKE256 | 0 | 0 | CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY |
| CKM_ML_KEM_KEY_PAIR_GEN | 0 | 0 | CKF_HW | CKF_GENERATE_KEY_PAIR |
| CKM_ML_KEM | 0 | 0 | CKF_HW | CKF_ENCAPSULATE | CKF_DECAPSULATE |
info
CKM_XMSSMT is not supported.
Supported PQC Parameters
For the XMSS, LMOTS, and LMS algorithms, the following values for the CKA_PARAMETER_SET
are supported (requires PKCS#11 Provider 2.6.2).
These values are defined in the IANA registry
(XMSS,
LMOTS, LMS).
#define CKP_XMSS_SHA2_10_256 (0x00000001)
#define CKP_XMSS_SHA2_16_256 (0x00000002)
#define CKP_XMSS_SHA2_20_256 (0x00000003)
#define CKP_XMSS_SHAKE_10_512 (0x0000000A)
#define CKP_XMSS_SHAKE_16_512 (0x0000000B)
#define CKP_XMSS_SHAKE_20_512 (0x0000000C)
#define CKP_LMOTS_SHA256_N32_W1 (0x00000001)
#define CKP_LMOTS_SHA256_N32_W2 (0x00000002)
#define CKP_LMOTS_SHA256_N32_W4 (0x00000003)
#define CKP_LMOTS_SHA256_N32_W8 (0x00000004)
#define CKP_LMOTS_SHA256_N24_W1 (0x00000005)
#define CKP_LMOTS_SHA256_N24_W2 (0x00000006)
#define CKP_LMOTS_SHA256_N24_W4 (0x00000007)
#define CKP_LMOTS_SHA256_N24_W8 (0x00000008)
#define CKP_LMOTS_SHAKE_N32_W1 (0x00000009)
#define CKP_LMOTS_SHAKE_N32_W2 (0x0000000A)
#define CKP_LMOTS_SHAKE_N32_W4 (0x0000000B)
#define CKP_LMOTS_SHAKE_N32_W8 (0x0000000C)
#define CKP_LMOTS_SHAKE_N24_W1 (0x0000000D)
#define CKP_LMOTS_SHAKE_N24_W2 (0x0000000E)
#define CKP_LMOTS_SHAKE_N24_W4 (0x0000000F)
#define CKP_LMOTS_SHAKE_N24_W8 (0x00000010)
#define CKP_LMS_SHA256_M32_H5 (0x00000005)
#define CKP_LMS_SHA256_M32_H10 (0x00000006)
#define CKP_LMS_SHA256_M32_H15 (0x00000007)
#define CKP_LMS_SHA256_M32_H20 (0x00000008)
#define CKP_LMS_SHA256_M32_H25 (0x00000009)
#define CKP_LMS_SHA256_M24_H5 (0x0000000A)
#define CKP_LMS_SHA256_M24_H10 (0x0000000B)
#define CKP_LMS_SHA256_M24_H15 (0x0000000C)
#define CKP_LMS_SHA256_M24_H20 (0x0000000D)
#define CKP_LMS_SHA256_M24_H25 (0x0000000E)
#define CKP_LMS_SHAKE_M32_H5 (0x0000000F)
#define CKP_LMS_SHAKE_M32_H10 (0x00000010)
#define CKP_LMS_SHAKE_M32_H15 (0x00000011)
#define CKP_LMS_SHAKE_M32_H20 (0x00000012)
#define CKP_LMS_SHAKE_M32_H25 (0x00000013)
#define CKP_LMS_SHAKE_M24_H5 (0x00000014)
#define CKP_LMS_SHAKE_M24_H10 (0x00000015)
#define CKP_LMS_SHAKE_M24_H15 (0x00000016)
#define CKP_LMS_SHAKE_M24_H20 (0x00000017)
#define CKP_LMS_SHAKE_M24_H25 (0x00000018)
Supported ECC Curves
| OID name | OID hex-value | OID |
|---|---|---|
| secp224k1 | {0x06,0x05,0x2B,0x81,0x04,0x00,0x20} | 1.3.132.0.32 |
| secp224r1 | {0x06,0x05,0x2B,0x81,0x04,0x00,0x21} | 1.3.132.0.33 |
| secp256k1 | {0x06,0x05,0x2B,0x81,0x04,0x00,0x0A} | 1.3.132.0.10 |
| secp256r1, prime256v1, NIST P-256 | {0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07} | 1.2.840.10045.3.1.7 |
| secp384r1, NIST P-384 | {0x06,0x05,0x2B,0x81,0x04,0x00,0x22} | 1.3.132.0.34 |
| secp521r1, NIST P-521 | {0x06,0x05,0x2B,0x81,0x04,0x00,0x23} | 1.3.132.0.35 |
| x962_p239v1 | {0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x04} | 1.2.840.10045.3.1.4 |
| x962_p239v2 | {0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x05} | 1.2.840.10045.3.1.5 |
| x962_p239v3 | {0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x06} | 1.2.840.10045.3.1.6 |
| brainpool224r1 | {0x06,0x09,0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x05} | 1.3.36.3.3.2.8.1.1.5 |
| brainpool256r1 | {0x06,0x09,0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07} | 1.3.36.3.3.2.8.1.1.7 |
| brainpool320r1 | {0x06,0x09,0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x09} | 1.3.36.3.3.2.8.1.1.9 |
| brainpool384r1 | {0x06,0x09,0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0b} | 1.3.36.3.3.2.8.1.1.11 |
| brainpool512r1 | {0x06,0x09,0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0d} | 1.3.36.3.3.2.8.1.1.13 |
| frp256v1 | {0x06,0x0A,0x2A,0x81,0x7A,0x01,0x81,0x5F,0x65,0x82,0x00,0x01} | 1.2.250.1.223.101.256.1 |
Supported Edwards Curves
| OID name | OID hex-value | OID |
|---|---|---|
| Ed25519/SHA2 | {0x06,0x03,0x2B,0x65,0x70} | 1.3.101.112 |
| Ed448 | {0x06,0x03,0x2B,0x65,0x71} | 1.3.101.113 |
| Curve25519 | {0x06,0x03,0x2B,0x65,0x6E} | 1.3.101.110 |
| Curve 448 | {0x06,0x03,0x2B,0x65,0x6F} | 1.3.101.111 |
| Ed25519/SHA3 | {0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0xDC,0x7C,0x05,0x02,0x01} | 1.3.6.1.4.1.44668.5.2.1 |
Firmware Requirements
The following table shows HSM firmware requirements for some mechanisms and features:
| Firmware | required for Feature or Mechanism |
|---|---|
| latest v2.7 | AES Wrap (CBC/ECB), DSA/DH/DHx942 (export PRIME, SUBPRIME, BASE), Log Export, CKA_NEVER_EXTRACTABLE, CKA_ALWAYS_SENSITIVE, CKA_LOCAL, CKA_TRUSTED, CKA_WRAP_WITH_TRUSTED, CKA_VERIFY_RECOVER, CKA_SIGN_RECOVER, retrieve CKA_EC_PARAMS the same way as sent to HSM, CKM_KEY_SPLIT, SLIP-10 derive with secp256k1 |
| latest v2.8 | Session objects, Ed25519, ChaCha/Poly, C_CopyObject |
| latest v2.9 | DES2, DES2/3-Keywrap |
| latest v3.0 | Full SLIP-10 support |
| latest v3.1 | Ed448, Curve448, CK_EDDSA_PARAMS, PQC mechanisms ( CKM_ML_DSA*, CKM_HASH_ML_DSA*, CKM_SLH_DSA*, CKM_HASH_SLH_DSA*, CKM_ML_KEM*, CKM_HSS*, CKM_XMSS*) |
| latest v3.2 | CKM_DES3/AES_ECB/CBC_ENCRYPT_DATA |
Object Label Handling
For details on object labels and identifiers, see this page.
Key Usage Flags
CKA_SIGN, CKA_VERIFY, CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP, CKA_DERIVE default to CK_FALSE, except if none are specified (then HSM defaults applied).
Primus PKCS#11 provider versions < v2.1.3 default the above key usage flags to CK_TRUE. However, some applications provide only command options to enable specific key usage but not to disable it, resulting in too many key usage flags set when creating a key.