PKCS#11 – Sample Application#

PKCS#11 library includes sample application code for customer reference to demonstrate use of the following:

  • C_GetSlotList to find the slot and token you require.

  • C_GetTokenInfo to obtain information about a particular token, token status, and the status of a token’s secure storage.

  • NVIDIA channel extension APIs C_NVIDIA_InitializeChannel, C_NVIDIA_OpenSession, and C_NVIDIA_FinalizeChannel to:

    • Redirect digest operation and sign and verify operations with CKM_SHA256_HMAC on to a different SHA engine from the default.

    • Redirect large sign and verify operations on 16MB-1 of random data in a single part with CKM_AES_GMAC on to an AES engine.

  • C_UnwrapKey to provision a wrapped key using CKM_NVIDIA_AES_GCM_KEY_UNWRAP.

  • Wrap and unwrap an ephemeral session key using CKM_AES_CBC and retrieval of the IV generated during the wrap operation (the same IV is required to successfully unwrap the key).

  • CKM_NVIDIA_AES_CBC_KEY_DATA_WRAP mechanism with a CK_NVIDIA_AES_CBC_KEY_DATA_WRAP_PARAMS mechanism parameter to wrap either one secret key, or a pair of secret keys with custom data interleaved between the two.

  • Commit a key to secure storage using C_NVIDIA_CommitTokenObjects.

  • Encrypt with CKM_AES_GCM and retrieval of the IV generated during the encrypt operation with C_NVIDIA_EncryptGetIV.

  • Derive a GCM encrypt and decrypt key using CKM_TLS12_KEY_SAFE_DERIVE mechanism with CKA_NVIDIA_CALLER_NONCE attribute set to allow the user to supply their own IV.

  • Perform ECDSA sign/verify operation using CKM_ECDSA mechanism.

  • C_GenerateKeyPair to generate EC key pair using CKM_EC_KEY_PAIR_GEN mechanism, and use the key pair to derive a shared key using C_DeriveKey with CKM_ECDH1_DERIVE mechanism.

  • Create a CKO_DATA object using C_CreateObject, retrieve the attribute from the target object handle using C_GetAttributeValue, and copy the data object using C_CopyObject.

  • Verify an RSA signature using CKM_RSA_PKCS_PSS.

  • Perform AES-GCM encryption/decryption performance tests using C_MessageEncryptInit, C_EncryptMessage, and C_MessageEncryptFinal.

  • Perform encryption/decryption for multipart data using C_EncryptInit, C_EncryptUpdate, C_EncryptFinal, C_DecryptInit, C_DecryptUpdate, and C_DecryptFinal with the CKM_AES_CBC mechanism.

  • Sign and verify multipart messages using the message-based API (C_MessageSignInit, C_SignMessageBegin, C_SignMessageNext, C_MessageSignFinal, C_MessageVerifyInit, C_VerifyMessageBegin, C_VerifyMessageNext, C_MessageVerifyFinal) with the CKM_AES_GMAC mechanism.

  • Perform encryption/decryption for multipart data using the message-based API (C_MessageEncryptInit, C_EncryptMessageBegin, C_EncryptMessageNext, C_MessageEncryptFinal, C_MessageDecryptInit, C_DecryptMessageBegin, C_DecryptMessageNext, C_MessageDecryptFinal) with the CKM_AES_CBC mechanism.

  • Derive an AES key using CKM_TLS12_KDF and use it to encrypt data with the CKM_AES_CBC mechanism.

  • Perform sign and verify operations with the CKM_TLS12_MAC mechanism.

  • Derive encryption and MAC keys using CKM_TLS12_KEY_AND_MAC_DERIVE.

  • Encrypt/decrypt with CKM_AES_CTR and retrieval of the IV generated during the encrypt operation with C_NVIDIA_EncryptGetIV.

  • Perform maximum size in a single part encryption and decryption using CKM_AES_CBC_PAD.

  • Mechanisms:

    1. CKM_EDDSA

    2. CKM_SP800_108_COUNTER_KDF

    3. CKM_SHA256

    4. CKM_SHA512

    5. CKM_NVIDIA_SP800_56C_TWO_STEPS_KDF

    6. CKM_AES_GCM

    7. CKM_AES_CMAC

    8. CKM_AES_CBC

    9. CKM_AES_KEY_GEN

    10. CKM_NVIDIA_AES_CBC_KEY_DATA_WRAP

    11. CKM_NVIDIA_AES_GCM_KEY_UNWRAP

    12. CKM_TLS12_KEY_SAFE_DERIVE

    13. CKM_ECDSA

    14. CKM_EC_KEY_PAIR_GEN

    15. CKM_ECDH1_DERIVE

    16. CKM_RSA_PKCS_PSS

    17. CKM_AES_GMAC

    18. CKM_TLS12_KDF

    19. CKM_TLS12_MAC

    20. CKM_TLS12_KEY_AND_MAC_DERIVE

    21. CKM_AES_CTR

    22. CKM_AES_CBC_PAD

Refer to the following README for instructions to build the sample application, pkcs11_reference_application:

samples/nvpkcs11/external/README