PKCS#11 – Sample Application

PKCS#11 library includes sample application code for customer reference to demonstrate use of the following:

• C_GetSlotList to find the slot and token you require.

• C_GetTokenInfo to obtain information about a particular token, token status, and the status of a token’s secure storage.

• NVIDIA channel extension APIs C_NVIDIA_InitializeChannel, C_NVIDIA_OpenSession, and C_NVIDIA_FinalizeChannel to:

  • Redirect digest operation and sign and verify operations with CKM_SHA256_HMAC on to a different SHA engine from the default.

  • Redirect large sign and verify operations on 16MB-1 of random data in a single part with CKM_AES_GMAC on to an AES engine.

• C_UnwrapKey to provision a wrapped key using CKM_NVIDIA_AES_GCM_KEY_UNWRAP.

• Wrap and unwrap an ephemeral session key using CKM_AES_CBC and retrieval of the IV generated during the wrap operation (the same IV is required to successfully unwrap the key).

• CKM_NVIDIA_AES_CBC_KEY_DATA_WRAP mechanism with a CK_NVIDIA_AES_CBC_KEY_DATA_WRAP_PARAMS mechanism parameter to wrap either one secret key, or a pair of secret keys with custom data interleaved between the two.

• Commit a key to secure storage using C_NVIDIA_CommitTokenObjects.

• Encrypt with CKM_AES_GCM and retrieval of the IV generated during the encrypt operation with C_NVIDIA_EncryptGetIV.

• Derive a GCM encrypt and decrypt key using CKM_TLS12_KEY_SAFE_DERIVE mechanism with CKA_NVIDIA_CALLER_NONCE attribute set to allow the user to supply their own IV.

• Perform ECDSA sign/verify operation using CKM_ECDSA mechanism.

• C_GenerateKeyPair to generate EC key pair using CKM_EC_KEY_PAIR_GEN mechanism, and use the key pair to derive a shared key using C_DeriveKey with CKM_ECDH1_DERIVE mechanism.

• Create a CKO_DATA object using C_CreateObject, retrieve the attribute from the target object handle using C_GetAttributeValue, and copy the data object using C_CopyObject.

• Verify an RSA signature using CKM_RSA_PKCS_PSS.

• Perform AES-GCM encryption/decryption performance tests using C_MessageEncryptInit, C_EncryptMessage, and C_MessageEncryptFinal.

• Perform encryption/decryption for multipart data using C_EncryptInit, C_EncryptUpdate, C_EncryptFinal, C_DecryptInit, C_DecryptUpdate, and C_DecryptFinal with the CKM_AES_CBC mechanism.

• Sign and verify multipart messages using the message-based API (C_MessageSignInit, C_SignMessageBegin, C_SignMessageNext, C_MessageSignFinal, C_MessageVerifyInit, C_VerifyMessageBegin, C_VerifyMessageNext, C_MessageVerifyFinal) with the CKM_AES_GMAC mechanism.

• Perform encryption/decryption for multipart data using the message-based API (C_MessageEncryptInit, C_EncryptMessageBegin, C_EncryptMessageNext, C_MessageEncryptFinal, C_MessageDecryptInit, C_DecryptMessageBegin, C_DecryptMessageNext, C_MessageDecryptFinal) with the CKM_AES_CBC mechanism.

• Derive an AES key using CKM_TLS12_KDF and use it to encrypt data with the CKM_AES_CBC mechanism.

• Perform sign and verify operations with the CKM_TLS12_MAC mechanism.

• Derive encryption and MAC keys using CKM_TLS12_KEY_AND_MAC_DERIVE.

• Encrypt/decrypt with CKM_AES_CTR and retrieval of the IV generated during the encrypt operation with C_NVIDIA_EncryptGetIV.

• Perform maximum size in a single part encryption and decryption using CKM_AES_CBC_PAD.

• Mechanisms:

  1. CKM_EDDSA

  2. CKM_SP800_108_COUNTER_KDF

  3. CKM_SHA256

  4. CKM_SHA512

  5. CKM_NVIDIA_SP800_56C_TWO_STEPS_KDF

  6. CKM_AES_GCM

  7. CKM_AES_CMAC

  8. CKM_AES_CBC

  9. CKM_AES_KEY_GEN

  10. CKM_NVIDIA_AES_CBC_KEY_DATA_WRAP

  11. CKM_NVIDIA_AES_GCM_KEY_UNWRAP

  12. CKM_TLS12_KEY_SAFE_DERIVE

  13. CKM_ECDSA

  14. CKM_EC_KEY_PAIR_GEN

  15. CKM_ECDH1_DERIVE

  16. CKM_RSA_PKCS_PSS

  17. CKM_AES_GMAC

  18. CKM_TLS12_KDF

  19. CKM_TLS12_MAC

  20. CKM_TLS12_KEY_AND_MAC_DERIVE

  21. CKM_AES_CTR

  22. CKM_AES_CBC_PAD

Refer to the following README for instructions to build the sample application, pkcs11_reference_application:

samples/nvpkcs11/external/README