PKCS#11 – Sample Application#
PKCS#11 library includes sample application code for customer reference to demonstrate use of the following:
C_GetSlotList to find the slot and token you require.
C_GetTokenInfo to obtain information about a particular token, token status, and the status of a token’s secure storage.
NVIDIA channel extension APIs C_NVIDIA_InitializeChannel, C_NVIDIA_OpenSession, and C_NVIDIA_FinalizeChannel to:
Redirect digest operation and sign and verify operations with CKM_SHA256_HMAC on to a different SHA engine from the default.
Redirect large sign and verify operations on 16MB-1 of random data in a single part with CKM_AES_GMAC on to an AES engine.
C_UnwrapKey to provision a wrapped key using CKM_NVIDIA_AES_GCM_KEY_UNWRAP.
Wrap and unwrap an ephemeral session key using CKM_AES_CBC and retrieval of the IV generated during the wrap operation (the same IV is required to successfully unwrap the key).
CKM_NVIDIA_AES_CBC_KEY_DATA_WRAP mechanism with a CK_NVIDIA_AES_CBC_KEY_DATA_WRAP_PARAMS mechanism parameter to wrap either one secret key, or a pair of secret keys with custom data interleaved between the two.
Commit a key to secure storage using C_NVIDIA_CommitTokenObjects.
Encrypt with CKM_AES_GCM and retrieval of the IV generated during the encrypt operation with C_NVIDIA_EncryptGetIV.
Derive a GCM encrypt and decrypt key using CKM_TLS12_KEY_SAFE_DERIVE mechanism with CKA_NVIDIA_CALLER_NONCE attribute set to allow the user to supply their own IV.
Perform ECDSA sign/verify operation using CKM_ECDSA mechanism.
C_GenerateKeyPair to generate EC key pair using CKM_EC_KEY_PAIR_GEN mechanism, and use the key pair to derive a shared key using C_DeriveKey with CKM_ECDH1_DERIVE mechanism.
Create a CKO_DATA object using C_CreateObject, retrieve the attribute from the target object handle using C_GetAttributeValue, and copy the data object using C_CopyObject.
Verify an RSA signature using CKM_RSA_PKCS_PSS.
Perform AES-GCM encryption/decryption performance tests using C_MessageEncryptInit, C_EncryptMessage, and C_MessageEncryptFinal.
Perform encryption/decryption for multipart data using C_EncryptInit, C_EncryptUpdate, C_EncryptFinal, C_DecryptInit, C_DecryptUpdate, and C_DecryptFinal with the CKM_AES_CBC mechanism.
Sign and verify multipart messages using the message-based API (C_MessageSignInit, C_SignMessageBegin, C_SignMessageNext, C_MessageSignFinal, C_MessageVerifyInit, C_VerifyMessageBegin, C_VerifyMessageNext, C_MessageVerifyFinal) with the CKM_AES_GMAC mechanism.
Perform encryption/decryption for multipart data using the message-based API (C_MessageEncryptInit, C_EncryptMessageBegin, C_EncryptMessageNext, C_MessageEncryptFinal, C_MessageDecryptInit, C_DecryptMessageBegin, C_DecryptMessageNext, C_MessageDecryptFinal) with the CKM_AES_CBC mechanism.
Derive an AES key using CKM_TLS12_KDF and use it to encrypt data with the CKM_AES_CBC mechanism.
Perform sign and verify operations with the CKM_TLS12_MAC mechanism.
Derive encryption and MAC keys using CKM_TLS12_KEY_AND_MAC_DERIVE.
Encrypt/decrypt with CKM_AES_CTR and retrieval of the IV generated during the encrypt operation with C_NVIDIA_EncryptGetIV.
Perform maximum size in a single part encryption and decryption using CKM_AES_CBC_PAD.
Mechanisms:
CKM_EDDSA
CKM_SP800_108_COUNTER_KDF
CKM_SHA256
CKM_SHA512
CKM_NVIDIA_SP800_56C_TWO_STEPS_KDF
CKM_AES_GCM
CKM_AES_CMAC
CKM_AES_CBC
CKM_AES_KEY_GEN
CKM_NVIDIA_AES_CBC_KEY_DATA_WRAP
CKM_NVIDIA_AES_GCM_KEY_UNWRAP
CKM_TLS12_KEY_SAFE_DERIVE
CKM_ECDSA
CKM_EC_KEY_PAIR_GEN
CKM_ECDH1_DERIVE
CKM_RSA_PKCS_PSS
CKM_AES_GMAC
CKM_TLS12_KDF
CKM_TLS12_MAC
CKM_TLS12_KEY_AND_MAC_DERIVE
CKM_AES_CTR
CKM_AES_CBC_PAD
Refer to the following README for instructions to build the sample application, pkcs11_reference_application:
samples/nvpkcs11/external/README