PKCS#11 – Sample Application

PKCS#11 library includes sample application code for customer reference to demonstrate use of the following:

• C_GetSlotList to find the slot and token you require.
• C_GetTokenInfo to obtain information about a particular token, token status, and the status of a token's secure storage.
• NVIDIA channel extension APIs C_NVIDIA_InitializeChannel, C_NVIDIA_OpenSession and C_NVIDIA_FinalizeChannel to redirect digest operation on to TZ-SE (QNX only) and to redirect sign and verify operations with CKM_SHA256_HMAC on to a SHA engine (QNX only).
• C_UnwrapKey to provision a wrapped key using CKM_NVIDIA_AES_GCM_KEY_UNWRAP.
• Wrap and unwrap an ephemeral session key using CKM_AES_CBC and retrieval of the IV generated during the wrap operation (the same IV is required to successfully unwrap the key).
• CKM_NVIDIA_AES_CBC_KEY_DATA_WRAP mechanism with a CK_NVIDIA_AES_CBC_KEY_DATA_WRAP_PARAMS mechanism parameter to wrap either one secret key, or a pair of secret keys with custom data interleaved between the two.
• Commit a key to secure storage using C_NVIDIA_CommitTokenObjects.
• Encrypt with CKM_AES_GCM and retrieval of the IV generated during the encrypt operation with C_NVIDIA_EncryptGetIV.

• Derive a GCM encrypt and decrypt key using CKM_TLS12_KEY_SAFE_DERIVE mechanism with CKA_NVIDIA_CALLER_NONCE attribute set to allow the user to supply their own IV.

• Mechanisms:
  1. CKM_EDDSA
  2. CKM_SP800_108_COUNTER_KDF
  3. CKM_SHA256
  4. CKM_SHA512
  5. CKM_SHA256_HMAC (QNX only)
  6. CKM_NVIDIA_SP800_56C_TWO_STEPS_KDF
  7. CKM_AES_GCM
  8. CKM_AES_CMAC
  9. CKM_AES_CBC
  10. CKM_AES_KEY_GEN
  11. CKM_NVIDIA_AES_CBC_KEY_DATA_WRAP
  12. CKM_NVIDIA_AES_GCM_KEY_UNWRAP
  13. CKM_TLS12_KEY_SAFE_DERIVE

Refer to the following README for instructions to build the sample application, pkcs11_reference_application:

samples/nvpkcs11/external/README