PKCS#11 – Supported Mechanism – Function Table
The following table shows the combinations of functions and mechanisms that the PKCS#11 library supports. An “x” mark indicates that the PKCS#11 library supports the mechanism for the function.
A Guide to Interpret Cell Entries
- "Encrypt / Encrypt Message" in the column heading means both regular and message-based encryption functions are supported with data supplied either in a single part or over multiple parts for the matching mechanisms, unless limited within the mechanism "x" marked row entry.
- "Sign (Single-part only)" in the column heading means only regular sign function with data supplied in a single part is supported.
- "(Single-part)" within an "x" marked row entry means that the mechanism is limited and only supports data supplied in a single part.
- "(Message Single part / Message Update only)" within an "x" marked row entry means that the mechanism is limited and only supports message-based functions.
- "(Single part, non- message only)" within an "x" marked row entry means that mechanism is limited and only supports regular functions with data supplied in a single part.
| Mechanism | Generate Key | Public/ Private Key Pair Generation | Encrypt/ Encrypt Message | Decrypt/ Decrypt Message | Encrypt/ Encrypt Message (Single- part only) | Decrypt/ Decrypt Message (Single-part only) | MAC Sign/ Sign Message | MAC Verify/ Verify Message | Sign (Single-part only) | Verify (Single- part only) | Digest | Derive Key | Unwrap Key | Wrap Key | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CKM_AES_CBC | X | X | X | X | using AES [FIPS 197] with 128-bit or 256-bit key sizes | ||||||||||
| CKM_AES_CBC_PAD | X | X | using AES [FIPS 197] with 128-bit or 256-bit key sizes | ||||||||||||
| CKM_AES_CTR | X | X | using AES [FIPS 197] with 128-bit or 256-bit key sizes | ||||||||||||
| CKM_AES_GCM | X | X | X | X | using AES [FIPS 197] with 128-bit or 256-bit key sizes | ||||||||||
| CKM_AES_CMAC | X (Single- part) | X (Single- part) | X | using AES [FIPS 197] with 128-bit or 256-bit key sizes | |||||||||||
| CKM_AES_GMAC | X (Message Single part / Message Update only) | X (Message Single part / Message Update only) | |||||||||||||
| CKM_SHA256_HMAC | X (Single- part) | X (Single- part) | X | MAC sign and verify with a CKK_GENERIC_SECRET key of 32B (256 bits) | |||||||||||
| CKM_NVIDIA_SP800_56C_TWO_STEPS_KDF | X | Custom mechanism intended for camera use | |||||||||||||
| CKM_SHA256 | X | ||||||||||||||
| CKM_SHA384 | X | ||||||||||||||
| CKM_SHA512 | X | ||||||||||||||
| CKM_SHA3_256 | X | ||||||||||||||
| CKM_SHA3_384 | X | ||||||||||||||
| CKM_SHA3_512 | X | ||||||||||||||
| CKM_NVIDIA_MACSEC_AES_KEY_WRAP | X | X | Custom mechanism for use with MACSEC | ||||||||||||
| CKM_NVIDIA_AES_CBC_KEY_DATA_WRAP | X | Custom mechanism intended for camera use | |||||||||||||
| CKM_AES_KEY_GEN | X | returning 128-bit or 256-bit key sizes | |||||||||||||
| CKM_GENERIC_SECRET_KEY_GEN | X | returning 128-bit or 256-bit key sizes | |||||||||||||
| CKM_EC_EDWARDS_KEY_PAIR_GEN | X | generate EC public/private key pairs over the curve Ed25519 | |||||||||||||
| CKM_EC_MONTGOMERY_KEY_PAIR_GEN | X | generate EC public/private key pairs over the curve 25519 | |||||||||||||
| CKM_EC_KEY_PAIR_GEN | X | generate EC public/private key pairs over the curve secp256r1 FIPS 186-4 Appendix B.4.2 | |||||||||||||
| CKM_SP800_108_COUNTER_KDF | X | using CKM_AES_CMAC [FIPS 197] with 128-bit or 256-bit key sizes | |||||||||||||
| CKM_SP800_108_COUNTER_KDF | X | using CKM_SHA256_HMAC [FIPS 198-1][FIPS 180-4] with 128 or 256-bit key sizes | |||||||||||||
| CKM_ECDH1_DERIVE | X | Deriving either a CKK_GENERIC_SECRET or CKK_AES. Curve25519 or Curve448 or secp256r1 | |||||||||||||
| CKM_RSA_PKCS_PSS | X | using RSA with 3072 and 4096-bit key sizes, and secure hash algorithms SHA-256, SHA-384, and SHA-512 [FIPS 180-4] for both the hash algorithm and Mask Generating Function (MGF1) [PKCS1-v2.2] | |||||||||||||
| CKM_EDDSA | X | X | curve Ed25519ph [RFC 8032] | ||||||||||||
| CKM_EDDSA (non prehash) | X | X |
curve Ed25519 [RFC 8032] curve448 |
||||||||||||
| CKM_ECDSA | X | X |
curve secp256r1 [SEC2-V2] using secure hash algorithm SHA-256 [FIPS 180-4] |
||||||||||||
| CKM_TLS12_MASTER_KEY_DERIVE_DH | X | using CKM_SHA256_HMAC deriving 384-bit key size | |||||||||||||
| CKM_TLS12_KEY_AND_MAC_DERIVE | X | using CKM_SHA256_HMAC with a CKK_GENERIC_SECRET key of 48B (384 bits) deriving 128-bit or 256-bit key sizes | |||||||||||||
| CKM_TLS12_KEY_SAFE_DERIVE | X | using CKM_SHA256_HMAC with a CKK_GENERIC_SECRET key of 48B (384 bits) deriving 128-bit or 256-bit key sizes | |||||||||||||
| CKM_TLS12_MAC | X (Single part, non- message only) | X (Single part, non- message only) | using CKM_SHA256_HMAC with a CKK_GENERIC_SECRET key of 48B (384 bits) | ||||||||||||
| CKM_TLS12_KDF | X | using CKM_SHA256_HMAC with a CKK_GENERIC_SECRET key of 48B (384 bits) deriving 128-bit or 256-bit key sizes |