PKCS#11 – Supported Attributes#

Create EC and RSA Public Key Attributes Support#

The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being created.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for the specific key type.

No

Indicates that PKCS#11 library does not support the attribute for the specific key type.

Read-only

The attribute is set to read-only for the specific key type.

An empty cell in Default Value column indicates no specific value is assigned to the attribute.

(Result of library function)

Indicates that the attribute value is determined by the PKCS#11 library.

C_CreateObject

Attributes

KeyTypes

Default Values

Note

EC Public

RSA Public

CKA_CLASS

Yes

Yes

CKO_PUBLIC_KEY

Mandatory template attribute.

CKA_TOKEN

Yes

Yes

FALSE

CKA_PRIVATE

Read-only

Read-only

TRUE

NVIDIA limitation. All objects are private.

CKA_LABEL

Yes

Yes

CKA_VALUE

No

No

CKA_TRUSTED

Read-only

Read-only

FALSE

NVIDIA limitation. Cannot create a trusted wrapping key at runtime.

CKA_CHECK_VALUE

No

No

CKA_KEY_TYPE

Yes

Yes

Mandatory template attribute.

CKA_SUBJECT

No

No

NVIDIA limitation. Attribute not supported.

CKA_ID

Yes

Yes

NVIDIA limitation. Mandatory template.

CKA_SENSITIVE

No

No

CKA_ENCRYPT

Read-only

Read-only

FALSE

NVIDIA limitation. Public key encryption is not supported.

CKA_DECRYPT

No

No

CKA_WRAP

Read-only

Yes

FALSE

NVIDIA limitation. EC Public key wrap is not supported. RSA Public key wrap is supported only with 2k key and CKM_RSA_PKCS_OAEP mechanism

CKA_UNWRAP

No

No

CKA_SIGN

No

No

CKA_VERIFY

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules

CKA_VERIFY_RECOVER

No

No

NVIDIA limitation. Attribute not supported.

CKA_DERIVE

Read-only

Read-only

FALSE

NVIDIA limitation. Cannot derive from a Public key.

CKA_START_DATE

Yes

Yes

CKA_END_DATE

Yes

Yes

CKA_MODULUS

No

Yes

Mandatory template attribute.

CKA_MODULUS_BITS

No

Read-only

(Result of library function)

Must not be template attribute.

CKA_PUBLIC_EXPONENT

No

Yes

Mandatory template attribute.

CKA_PUBLIC_KEY_INFO

No

No

NVIDIA limitation. Attribute not supported.

CKA_VALUE_LEN

No

No

CKA_EXTRACTABLE

No

No

CKA_LOCAL

Read-only

Read-only

FALSE

Must not be template attribute.

CKA_NEVER_EXTRACTABLE

No

No

CKA_ALWAYS_SENSITIVE

No

No

CKA_KEY_GEN_MECHANISM

Read-only

Read-only

CK_UNAVAILABLE_INFORMATION

Due to CKA_LOCAL set FALSE.

CKA_MODIFIABLE

Yes

Yes

TRUE

CKA_COPYABLE

Yes

Yes

TRUE

CKA_DESTROYABLE

Yes

Yes

TRUE

CKA_EC_PARAMS

Yes

No

Mandatory template attribute.

CKA_EC_POINT

Yes

No

Mandatory template attribute.

CKA_WRAP_WITH_TRUSTED

No

No

CKA_WRAP_TEMPLATE

No

No

NVIDIA limitation. Not supported.

CKA_UNWRAP_TEMPLATE

No

No

CKA_ALLOWED_MECHANISMS

Yes

Yes

Mandatory template attribute.

CKA_NVIDIA_CALLER_NONCE

No

No

Create Secret Key Attributes Support#

The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being created.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for the specific key type.

No

Indicates that PKCS#11 library does not support the attribute for the specific key type.

Read-only

The attribute is set to read-only for the specific key type.

An empty cell in Default Value column indicates there is no specific value assigned to the attribute.

(Result of library function)

Indicates that the PKCS#11 library determines the attribute value.

C_CreateObject

Attributes

KeyTypes

Default Values

Note

Generic Secret

AES

CKA_CLASS

Yes

Yes

CKO_SECRET_KEY

Mandatory template attribute.

CKA_TOKEN

Yes

Yes

FALSE

CKA_PRIVATE

Read-only

Read-only

TRUE

NVIDIA limitation. All objects are private.

CKA_LABEL

Yes

Yes

CKA_VALUE

Yes

Yes

Mandatory template attribute.

CKA_TRUSTED

Read-only

Read-only

FALSE

NVIDIA limitation. Cannot create a trusted wrapping key at runtime.

CKA_CHECK_VALUE

No

No

NVIDIA limitation. Attribute not supported.

CKA_KEY_TYPE

Yes

Yes

Mandatory template attribute.

CKA_SUBJECT

No

No

CKA_ID

Yes

Yes

NVIDIA limitation. Mandatory template attribute.

CKA_SENSITIVE

Read-only

Read-only

TRUE

NVIDIA limitation. No access to secret key material.

CKA_ENCRYPT

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_DECRYPT

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_WRAP

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_UNWRAP

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_SIGN

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_VERIFY

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_VERIFY_RECOVER

No

No

CKA_DERIVE

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_START_DATE

Yes

Yes

CKA_END_DATE

Yes

Yes

CKA_MODULUS

No

No

CKA_MODULUS_BITS

No

No

CKA_PUBLIC_EXPONENT

No

No

CKA_PUBLIC_KEY_INFO

No

No

CKA_VALUE_LEN

Read-only

Read-only

(Result of library function)

Must not be template attribute.

CKA_EXTRACTABLE

Yes

Yes

FALSE

CKA_LOCAL

Read-only

Read-only

FALSE

Must not be template attribute.

CKA_NEVER_EXTRACTABLE

Read-only

Read-only

FALSE

Must not be template attribute.

CKA_ALWAYS_SENSITIVE

Read-only

Read-only

FALSE

Must not be template attribute.

CKA_KEY_GEN_MECHANISM

Read-only

Read-only

CK_UNAVAILABLE_INFORMATION

Due to CKA_LOCAL set FALSE.

CKA_MODIFIABLE

Yes

Yes

TRUE

CKA_COPYABLE

Yes

Yes

TRUE

CKA_DESTROYABLE

Yes

Yes

TRUE

CKA_EC_PARAMS

No

No

CKA_EC_POINT

No

No

CKA_WRAP_WITH_TRUSTED

Yes

Yes

FALSE

CKA_WRAP_TEMPLATE

No

No

NVIDIA limitation. Not supported

CKA_UNWRAP_TEMPLATE

No

No

NVIDIA limitation. Not supported.

CKA_ALLOWED_MECHANISMS

Yes

Yes

Mandatory template attribute.

CKA_NVIDIA_CALLER_NONCE

Read-only

Read-only

FALSE

NVIDIA Extension limitation. May be set TRUE for FSI keys only on Thor.

Generate Secret Key Attributes Support#

The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being generated.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for the specific key type.

No

Indicates that PKCS#11 library does not support the attribute for the specific key type.

Read-only

The attribute is set to read-only for the specific key type.

An empty cell in the Default Value column indicates there is no specific value assigned to the attribute.

(Result of library function)

Indicates that the attribute value is determined by the PKCS#11 library.

C_GenerateKey

Attributes

KeyTypes

Default Values

Note

Generic Secret

AES

CKA_CLASS

Read-only

Read-only

CKO_SECRET_KEY

Implied by generation mechanism.

Cannot be changed.

CKA_TOKEN

Yes

Yes

FALSE

CKA_PRIVATE

Read-only

Read-only

TRUE

NVIDIA limitation. All objects are private.

CKA_LABEL

Yes

Yes

CKA_VALUE

Read-only

Read-only

(Result of library function)

Is set by mechanism.

CKA_TRUSTED

Read-only

Read-only

FALSE

NVIDIA limitation. Cannot create a trusted wrapping key at runtime.

CKA_CHECK_VALUE

No

No

NVIDIA limitation. Attribute not supported.

CKA_KEY_TYPE

Read-only

Read-only

(Result of library function)

Is set by mechanism Cannot be changed.

CKA_SUBJECT

No

No

CKA_ID

Yes

Yes

NVIDIA limitation. Mandatory template attribute.

CKA_SENSITIVE

Read-only

Read-only

TRUE

NVIDIA limitation. No access to Secret key material.

CKA_ENCRYPT

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_DECRYPT

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_WRAP

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_UNWRAP

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_SIGN

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_VERIFY

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_VERIFY_RECOVER

No

No

CKA_DERIVE

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_START_DATE

Yes

Yes

CKA_END_DATE

Yes

Yes

CKA_MODULUS

No

No

CKA_MODULUS_BITS

No

No

CKA_PUBLIC_EXPONENT

No

No

CKA_PUBLIC_KEY_INFO

No

No

CKA_VALUE_LEN

Yes

Yes

16

Mandatory template attribute.

CKA_EXTRACTABLE

Yes

Yes

FALSE

CKA_LOCAL

Read-only

Read-only

TRUE

Must not be template attribute.

CKA_NEVER_EXTRACTABLE

Read-only

Read-only

(Result of library function)

Must not be template attribute.

CKA_ALWAYS_SENSITIVE

Read-only

Read-only

TRUE

Must not be template attribute. NVIDIA limitation. No access to Secret key material.

CKA_KEY_GEN_MECHANISM

Read-only

Read-only

(Result of library function)

Must not be template attribute.

CKA_MODIFIABLE

Yes

Yes

TRUE

CKA_COPYABLE

Yes

Yes

TRUE

CKA_DESTROYABLE

Yes

Yes

TRUE

CKA_EC_PARAMS

No

No

CKA_EC_POINT

No

No

CKA_WRAP_WITH_TRUSTED

Yes

Yes

FALSE

CKA_WRAP_TEMPLATE

No

No

NVIDIA limitation. Not supported.

CKA_UNWRAP_TEMPLATE

No

No

NVIDIA limitation. Not supported.

CKA_ALLOWED_MECHANISMS

Yes

Yes

Mandatory template attribute.

CKA_NVIDIA_CALLER_NONCE

Read-only

Read-only

FALSE

NVIDIA Extension limitation. May be set TRUE for FSI keys only on Thor.

Generate Public / Private Key Pair Attributes Support#

The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being generated.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for the specific key type.

No

Indicates that PKCS#11 library does not support the attribute for the specific key type.

Read-only

The attribute is set to read-only for the specific key type.

An empty cell in Default Value column indicates there is no specific value assigned to the attribute.

(Result of library function)

Indicates that the PKCS#11 library determines the attribute value.

C_GenerateKeyPair

Attributes

KeyTypes

Default Values

Note

EC Public

EC Private

CKA_CLASS

Read-only

Read-only

(Result of library function)

CKA_TOKEN

Yes

Yes

FALSE

Same value for both templates.

CKA_PRIVATE

Read-only

Read-only

TRUE

NVIDIA limitation. All objects are private.

CKA_LABEL

Yes

Yes

CKA_VALUE

No

No

CKA_TRUSTED

Read-only

No

FALSE

NVIDIA limitation. Cannot create a trusted wrapping key at runtime.

CKA_CHECK_VALUE

No

No

CKA_KEY_TYPE

Read-only

Read-only

(Result of library function)

CKA_SUBJECT

No

No

NVIDIA limitation. Attribute not supported.

CKA_ID

Yes

Yes

NVIDIA limitation. Mandatory template attribute, they must be identical.

CKA_SENSITIVE

No

Read-only

TRUE

NVIDIA limitation. No access to private key material.

CKA_ENCRYPT

Read-only

No

FALSE

NVIDIA limitation. Public key encryption is not supported.

CKA_DECRYPT

No

Read-only

FALSE

NVIDIA limitation. Private key decryption is not supported.

CKA_WRAP

Read-only

No

FALSE

NVIDIA limitation. Public key wrap is not supported.

CKA_UNWRAP

No

Read-only

FALSE

NVIDIA limitation. Private key unwrap is not supported.

CKA_SIGN

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_SIGN_RECOVER

No

No

NVIDIA limitation. Attribute not supported.

CKA_VERIFY

Yes

No

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_VERIFY_RECOVER

No

No

NVIDIA limitation. Attribute not supported.

CKA_DERIVE

Read-only

Yes

FALSE

NVIDIA limitation. Cannot derive from a public key.

CKA_START_DATE

Yes

Yes

CKA_END_DATE

Yes

Yes

CKA_MODULUS

No

No

CKA_MODULUS_BITS

No

No

CKA_PUBLIC_EXPONENT

No

No

CKA_PUBLIC_KEY_INFO

No

No

NVIDIA limitation. Attribute not supported.

CKA_VALUE_LEN

No

No

CKA_EXTRACTABLE

No

Yes

FALSE

CKA_LOCAL

Read-only

Read-only

TRUE

Must not be template attribute.

CKA_NEVER_EXTRACTABLE

No

Read-only

(Result of library function)

Must not be template attribute

CKA_ALWAYS_SENSITIVE

No

Read-only

TRUE

Must not be template attribute. NVIDIA limitation. No access to private key material.

CKA_KEY_GEN_MECHANISM

Read-only

Read-only

(Result of library function)

Must not be template attribute.

CKA_MODIFIABLE

Yes

Yes

TRUE

CKA_COPYABLE

Yes

Yes

TRUE

CKA_DESTROYABLE

Yes

Yes

TRUE

CKA_EC_PARAMS

Yes

Read-only

Public key: mandatory template attribute.

Private key: must not be template attribute.

CKA_EC_POINT

Read-only

No

(Result of library function)

CKA_WRAP_WITH_TRUSTED

No

Yes

FALSE

CKA_WRAP_TEMPLATE

No

No

NVIDIA limitation. Not supported.

CKA_UNWRAP_TEMPLATE

No

No

NVIDIA limitation. Not supported.

CKA_ALLOWED_MECHANISMS

Yes

Yes

Mandatory template attribute.

CKA_ALWAYS_AUTHENTICATE

No

No

NVIDIA limitation. Not supported for private keys.

CKA_NVIDIA_CALLER_NONCE

No

No

Derive Secret Key Attributes Support#

The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being derived.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for the specific key type.

No

Indicates that PKCS#11 library does not support the attribute for the specific key type.

Read-only

The attribute is set to read-only for the specific key type.

An empty cell in Default Value column indicates there is no specific value assigned to the attribute.

(Result of library function)

Indicates that the PKCS#11 library determines the attribute value.

C_DeriveKey

Attributes

KeyTypes

Default Values

Note

Generic Secret

AES

CKA_CLASS

Read-only

Read-only

CKO_SECRET_KEY

NVIDIA limitation. Can only derive a Secret key.

CKA_TOKEN

Yes

Yes

FALSE

NVIDIA limitation. Can only derive a Token key from a Token key.

CKA_PRIVATE

Read-only

Read-only

TRUE

NVIDIA limitation. All objects are private.

CKA_LABEL

Yes

Yes

CKA_VALUE

Read-only

Read-only

(Result of library function)

CKA_TRUSTED

Read-only

Read-only

FALSE

NVIDIA limitation. Cannot create a trusted wrapping key at runtime.

CKA_CHECK_VALUE

No

No

NVIDIA limitation. Not supported.

CKA_KEY_TYPE

Yes

Yes

Mandatory template attribute.

CKA_SUBJECT

No

No

CKA_ID

Yes

Yes

NVIDIA limitation. Mandatory template attribute.

CKA_SENSITIVE

Yes

Yes

TRUE

NVIDIA limitation. Any Secret Key with CKA_SENSITIVE False cannot be used for cryptographic operations.

CKA_ENCRYPT

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_DECRYPT

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_WRAP

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_UNWRAP

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_SIGN

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_VERIFY

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_VERIFY_RECOVER

No

No

CKA_DERIVE

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_START_DATE

Yes

Yes

CKA_END_DATE

Yes

Yes

CKA_MODULUS

No

No

CKA_MODULUS_BITS

No

No

CKA_PUBLIC_EXPONENT

No

No

CKA_PUBLIC_KEY_INFO

No

No

CKA_VALUE_LEN

Yes

Yes

16

Mandatory template attribute.

CKA_EXTRACTABLE

Yes

Yes

FALSE

NVIDIA limitation. If the base key has its CKA_EXTRACTABLE attribute set to CK_FALSE, then the derived key does too.

CKA_LOCAL

Read-only

Read-only

FALSE

Must not be template attribute.

CKA_NEVER_EXTRACTABLE

Read-only

Read-only

Inherited from base key depending on CKA_EXTRACTABLE history*

Must not be template attribute.

CKA_ALWAYS_SENSITIVE

Read-only

Read-only

Inherited from base key depending on CKA_SENSITIVE history**

Must not be template attribute.

CKA_KEY_GEN_MECHANISM

Read-only

Read-only

CK_UNAVAILABLE_INFORMATION

Due to CKA_LOCAL set FALSE

CKA_MODIFIABLE

Yes

Yes

TRUE

CKA_COPYABLE

Yes

Yes

TRUE

CKA_DESTROYABLE

Yes

Yes

TRUE

CKA_EC_PARAMS

No

No

CKA_EC_POINT

No

No

CKA_WRAP_WITH_TRUSTED

Yes

Yes

FALSE

CKA_WRAP_TEMPLATE

No

No

NVIDIA limitation. Not supported.

CKA_UNWRAP_TEMPLATE

No

No

NVIDIA limitation. Not supported.

CKA_ALLOWED_MECHANISMS

Yes

Yes

Mandatory template attribute

CKA_NVIDIA_CALLER_NONCE

Yes

Yes

FALSE

NVIDIA Extension May be TRUE only for encrypt/decrypt session keys derived using CKM_TLS12_KEY_AND_MAC_DERIVE or CKM_TLS12_KEY_SAFE_DERIVE*** NVIDIA Extension limitation. May be set TRUE for FSI keys only on Thor.

* If the base key has its CKA_NEVER_EXTRACTABLE attribute set to CK_FALSE, then the derived key does too. If the base key has its CKA_NEVER_EXTRACTABLE attribute set to CK_TRUE, then the derived key has its CKA_NEVER_EXTRACTABLE attribute set to the opposite value from its CKA_EXTRACTABLE attribute. If the base key has its CKA_EXTRACTABLE attribute set to CK_FALSE, then the derived key does too.

** If the base key has its CKA_ALWAYS_SENSITIVE attribute set to CK_FALSE, then the derived key does as well. If the base key has its CKA_ALWAYS_SENSITIVE attribute set to CK_TRUE, then the derived key has its CKA_ALWAYS_SENSITIVE attribute set to the same value as its CKA_SENSITIVE attribute.

*** When deriving TLS keys the 10 least significant bytes of the CKA_ID is overwritten in order to create 4x sub-keys (ServerKey, ClientKey, hClientMacSecret and hServerMacSecret) If the user has multiple TLS sessions on the same token ensure that the first 22 bytes of the CKA_ID are unique to avoid the library returning CKR_ARGUMENTS_BAD.

Unwrap Key Attributes Support with CKM_NVIDIA_AES_GCM_KEY_UNWRAP#

PKCS#11 library does not support Cryptoki attributes supplied within a template to be applied to the unwrapped key with CKM_AES_GCM mechanism. The key attributes are instead supplied via the optional Additional authenticated Data (AAD) input when CKM_NVIDIA_AES_GCM_KEY_UNWRAP mechanism is called with C_UnwrapKey.

This change uses a vendor-specific mechanism introduced at 6.0.8.1. It is backwards compatible for customers who already created unwrapping keys with CKM_AES_GCM as the supported mechanism, and where both CKM_AES_GCM and CKM_NVIDIA_AES_GCM_KEY_UNWRAP can coexist and be used.

How does this change affect the customer application? Depending on the combination of how the supported mechanism in the unwrapping key is named and how the unwrapping mechanism is named when C_UnwrapKey is called, the PKCS#11 library reacts according to one of the four possible combinations, as shown below:

Unwrap Key Mechanism

CKM_AES_GCM

CKM_NVIDIA_AES_GCM_KEY_UNWRAP

Supported mechanism in the unwrapping key

CKM_AES_GCM

  • If pTemplate == NULL

unwrap using CKM_NVIDIA_AES_GCM_KEY_UNWRAP

Log (“Update unwrapping mechanism and key supported mechanisms”)

  • If pTemplate != NULL

return CKR_ARGUMENTS_BAD (not supported as of 6.0.8.1)

  • If pTemplate == NULL

unwrap using CKM_NVIDIA_AES_GCM_KEY_UNWRAP

Log(“Update key supported mechanisms”)

  • If pTemplate != NULL

return CKR_ARGUMENTS_BAD

CKM_NVIDIA_AES_GCM_KEY_UNWRAP

return CKR_MECHANISM_INVALID

  • If pTemplate == NULL

unwrap using CKM_NVIDIA_AES_GCM_KEY_UNWRAP

  • If pTemplate != NULL

return CKR_ARGUMENTS_BAD

A customer application provisioning keys using the original mechanism will still work with 6.0.8.1. The PKCS#11 Library issues an advisory log to update to the new vendor-specific mechanism naming scheme for that use case.

Unwrap Secret Key Attributes Support with CKM_AES_CBC#

PKCS#11 library does support Cryptoki attributes supplied within a template to be applied to the unwrapped ephemeral session secret key with CKM_AES_CBC mechanism.

The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being created.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for the specific key type.

No

Indicates that PKCS#11 library does not support the attribute for the specific key type.

Read-only

The attribute is set to read-only for the specific key type.

An empty cell in Default Value column indicates that there is no specific value assigned to the attribute.

(Result of library function)

Indicates that the attribute value is determined by the PKCS#11 library

C_UnwrapKey

Attributes

KeyTypes

Default Values

Note

Generic Secret

AES

CKA_CLASS

Yes

Yes

CKO_SECRET_KEY

Mandatory template attribute.

CKA_TOKEN

Read-only

Read-only

FALSE

NVIDIA limitation. Only EPHEMERAL keys can be unwrapped if attribute template is supported.

CKA_PRIVATE

Read-only

Read-only

TRUE

NVIDIA limitation. All objects are private.

CKA_LABEL

Yes

Yes

CKA_VALUE

No

No

CKA_TRUSTED

Read-only

Read-only

FALSE

NVIDIA limitation. Cannot create a trusted wrapping key at runtime.

CKA_CHECK_VALUE

No

No

NVIDIA limitation. Attribute not supported.

CKA_KEY_TYPE

Yes

Yes

Mandatory template attribute.

CKA_SUBJECT

No

No

CKA_ID

Yes

Yes

NVIDIA limitation. Mandatory template attribute.

CKA_SENSITIVE

Read-only

Read-only

TRUE

NVIDIA limitation. No access to secret key material.

CKA_ENCRYPT

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_DECRYPT

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_WRAP

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_UNWRAP

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_SIGN

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_VERIFY

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_VERIFY_RECOVER

No

No

CKA_DERIVE

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_START_DATE

Yes

Yes

CKA_END_DATE

Yes

Yes

CKA_MODULUS

No

No

CKA_MODULUS_BITS

No

No

CKA_PUBLIC_EXPONENT

No

No

CKA_PUBLIC_KEY_INFO

No

No

CKA_VALUE_LEN

Yes

Yes

Mandatory template attribute.

CKA_EXTRACTABLE

Yes

Yes

FALSE

NVIDIA limitation. Default False on Unwrap.

CKA_LOCAL

Read-only

Read-only

FALSE

Must not be template attribute.

CKA_NEVER_EXTRACTABLE

Read-only

Read-only

FALSE

Must not be template attribute.

CKA_ALWAYS_SENSITIVE

Read-only

Read-only

FALSE

Must not be template attribute.

CKA_KEY_GEN_MECHANISM

Read-only

Read-only

CK_UNAVAILABLE_INFORMATION

Must not be template attribute.

CKA_MODIFIABLE

Yes

Yes

TRUE

CKA_COPYABLE

Yes

Yes

TRUE

CKA_DESTROYABLE

Yes

Yes

TRUE

CKA_EC_PARAMS

No

No

CKA_EC_POINT

No

No

CKA_WRAP_WITH_TRUSTED

Yes

Yes

FALSE

CKA_WRAP_TEMPLATE

No

No

NVIDIA limitation. Not supported.

CKA_UNWRAP_TEMPLATE

No

No

NVIDIA limitation. Not supported.

CKA_ALLOWED_MECHANISMS

Yes

Yes

Mandatory template attribute.

CKA_NVIDIA_CALLER_NONCE

Read-only

Read-only

FALSE

NVIDIA Extension limitation. May be set TRUE for FSI keys only on Thor.

Unwrap Private Key Attributes Support with CKM_AES_CBC#

PKCS#11 library does support Cryptoki attributes supplied within a template to be applied to the unwrapped ephemeral session private key with CKM_AES_CBC mechanism.

The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being created.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for the specific key type.

No

Indicates that PKCS#11 library does not support the attribute for the specific key type.

Read-only

The attribute is set to read-only for the specific key type.

An empty cell in Default Value column indicates that there is no specific value assigned to the attribute.

(Result of library function)

Indicates that the PKCS#11 library determines the attribute value.

C_UnwrapKey

Attributes

Key Type

Default Value

Note

EC Private

CKA_CLASS

Yes

CKO_PRIVATE_KEY

Mandatory template attribute.

CKA_TOKEN

Read-only

FALSE

NVIDIA limitation. Only EPHEMERAL keys can be unwrapped if attribute template is supported.

CKA_PRIVATE

Read-only

TRUE

NVIDIA limitation. All objects are private.

CKA_LABEL

Yes

CKA_VALUE

No

CKA_TRUSTED

No

CKA_CHECK_VALUE

No

CKA_KEY_TYPE

Yes

Mandatory template attribute.

CKA_SUBJECT

No

NVIDIA limitation. Attribute not supported.

CKA_ID

Yes

NVIDIA limitation. Mandatory template attribute.

CKA_SENSITIVE

Read-only

TRUE

NVIDIA limitation. No access to private key material.

CKA_ENCRYPT

No

CKA_DECRYPT

Read-only

FALSE

NVIDIA limitation. Private key decryption is not supported.

CKA_WRAP

No

CKA_UNWRAP

Read-only

FALSE

NVIDIA limitation. Private key unwrap is not supported.

CKA_SIGN

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_VERIFY

No

CKA_VERIFY_RECOVER

No

CKA_DERIVE

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_START_DATE

Yes

CKA_END_DATE

Yes

CKA_MODULUS

No

CKA_MODULUS_BITS

No

CKA_PUBLIC_EXPONENT

No

CKA_PUBLIC_KEY_INFO

No

CKA_VALUE_LEN

No

CKA_EXTRACTABLE

Yes

FALSE

NVIDIA limitation. Default False on Unwrap.

CKA_LOCAL

Read-only

FALSE

Must not be template attribute.

CKA_NEVER_EXTRACTABLE

Read-only

FALSE

Must not be template attribute.

CKA_ALWAYS_SENSITIVE

Read-only

FALSE

Must not be template attribute.

CKA_KEY_GEN_MECHANISM

Read-only

CK_UNAVAILABLE_INFORMATION

Must not be template attribute.

CKA_MODIFIABLE

Yes

TRUE

CKA_COPYABLE

Yes

TRUE

CKA_DESTROYABLE

Yes

TRUE

CKA_EC_PARAMS

Yes

Mandatory template attribute.

CKA_EC_POINT

No

CKA_WRAP_WITH_TRUSTED

Yes

FALSE

CKA_WRAP_TEMPLATE

No

CKA_UNWRAP_TEMPLATE

No

NVIDIA limitation. Not supported

CKA_ALLOWED_MECHANISMS

Yes

Mandatory template attribute

CKA_NVIDIA_CALLER_NONCE

No

Copy Key Attributes Support#

The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being copied.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for the specific key type.

No

Indicates that PKCS#11 library does not support the attribute for the specific key type.

Read-only

The attribute is set to read-only for the specific key type.

An empty cell in Default Value column indicates that there is no specific value assigned to the attribute.

(Result of library function)

Indicates that the PKCS#11 library determines the attribute value.

C_CopyObject

Attributes

Key Type

Default Value

Note

EC Private

EC Public

RSA Public

Generic Secret

AES

CKA_CLASS

Read-only

Read-only

Read-only

Read-only

Read-only

Inherited from Object being copied

CKA_TOKEN

Read-only

Read-only

Read-only

Read-only

Read-only

Inherited from Object being copied

NVIDIA limitation. A token key cannot be copied into a session key or vice versa.

CKA_PRIVATE

Read-only

Read-only

Read-only

Read-only

Read-only

Inherited from Object being copied

CKA_LABEL

Yes

Yes

Yes

Yes

Yes

Inherited from Object being copied

CKA_VALUE

No

No

No

Read-only

Read-only

Inherited from Object being copied

CKA_TRUSTED

No

Read-only

Read-only

Read-only

Read-only

Inherited from Object being copied

CKA_CHECK_VALUE

No

No

No

No

No

NVIDIA limitation. Attribute not supported.

CKA_KEY_TYPE

Read-only

Read-only

Read-only

Read-only

Read-only

Inherited from Object being copied

CKA_SUBJECT

No

No

No

No

No

NVIDIA limitation. Attribute not supported.

CKA_ID

Yes

Yes

Yes

Yes

Yes

NVIDIA limitation. Mandatory template attribute.

CKA_SENSITIVE

Read-only

No

No

Read-only

Read-only

Inherited from Object being copied

CKA_ENCRYPT

No

Read only

Read only

No

Read-only

Inherited from Object being copied

NVIDIA limitation. Key usage immutability.

CKA_DECRYPT

Read-only

No

No

No

Read-only

Inherited from Object being copied

NVIDIA limitation. Key usage immutability.

CKA_WRAP

No

Read-only

Read-only

No

Read-only

Inherited from Object being copied

NVIDIA limitation. Key usage immutability.

CKA_UNWRAP

Read-only

No

No

No

Read-only

Inherited from Object being copied

NVIDIA limitation. Key usage immutability.

CKA_SIGN

Read-only

No

No

Read-only

Read-only

Inherited from Object being copied

NVIDIA limitation. Key usage immutability.

CKA_SIGN_RECOVER

No

No

No

No

No

NVIDIA limitation. Attribute not supported for private keys.

CKA_VERIFY

No

Read-only

Read-only

Read-only

Read-only

Inherited from Object being copied

NVIDIA limitation. Key usage immutability.

CKA_VERIFY_RECOVER

No

No

No

No

No

NVIDIA limitation. Attribute not supported.

CKA_DERIVE

Read-only

Read-only

Read-only

Read-only

Read-only

Inherited from Object being copied

NVIDIA limitation. Key usage immutability.

CKA_START_DATE

Read-only

Read-only

Read-only

Read-only

Read-only

Inherited from Object being copied

CKA_END_DATE

Read-only

Read-only

Read-only

Read-only

Read-only

Inherited from Object being copied

CKA_MODULUS

No

No

Read-only

No

No

Inherited from Object being copied

CKA_MODULUS_BITS

No

No

Read-only

No

No

Inherited from Object being copied

CKA_PUBLIC_EXPONENT

No

No

Read-only

No

No

Inherited from Object being copied

CKA_PUBLIC_KEY_INFO

No

No

No

No

No

NVIDIA limitation. Attribute not supported

CKA_VALUE_LEN

No

No

No

Read-only

Read-only

Inherited from Object being copied

CKA_EXTRACTABLE

Read-only

No

No

Read-only

Read-only

Inherited from Object being copied

CKA_LOCAL

Read-only

Read-only

Read-only

Read-only

Read-only

Inherited from Object being copied

CKA_NEVER_EXTRACTABLE

Read-only

No

No

Read-only

Read-only

Inherited from Object being copied

CKA_ALWAYS_SENSITIVE

Read-only

No

No

Read-only

Read-only

Inherited from Object being copied

CKA_KEY_GEN_MECHANISM

Read-only

Read only

Read only

Read-only

Read-only

Inherited from Object being copied

CKA_MODIFIABLE

Read-only

Read-only

Read-only

Read-only

Read-only

Inherited from Object being copied

CKA_COPYABLE

Read-only

Read-only

Read-only

Read-only

Read-only

Inherited from Object being copied

CKA_DESTROYABLE

Read-only

Read-only

Read-only

Read-only

Read-only

Inherited from Object being copied

CKA_EC_PARAMS

Read-only

Read-only

No

No

No

Inherited from Object being copied

CKA_EC_POINT

No

Read-only

No

No

No

Inherited from Object being copied

CKA_WRAP_WITH_TRUSTED

Read-only

No

No

Read-only

Read-only

Inherited from Object being copied

CKA_WRAP_TEMPLATE

No

No

No

No

No

NVIDIA limitation. Not supported.

CKA_UNWRAP_TEMPLATE

No

No

No

No

No

NVIDIA limitation. Not supported.

CKA_ALLOWED_MECHANISMS

Read-only

Read-only

Read-only

Read-only

Read-only

Inherited from Object being copied

CKA_ALWAYS_AUTHENTICATE

No

No

No

No

No

NVIDIA limitation. Not supported.

CKA_NVIDIA_USER_NONCE

No

No

No

Read-only

Read-only

Inherited from Object being copied

Set Attributes Support#

Note

Only a single attribute may be set at a time.

The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type operation.

Table Entry

Meaning

Yes

Indicates that PKCS#11 Library supports set attribute for the specific key type.

No

Indicates that PKCS#11 Library does not support set attribute for the specific key type.

C_SetAttributeValue

Attributes

Key Type

Note

EC Private

EC Public

RSA Public

Generic Secret

AES

CKA_LABEL

Yes

Yes

Yes

Yes

Yes

NVIDIA limitation. Set a single attribute at a time.

CKA_TRUSTED

No

No

No

No

No

NVIDIA limitation. Cannot create a trusted wrapping key at runtime.

CKA_CHECK_VALUE

No

No

No

No

No

NVIDIA limitation.

CKA_SUBJECT

No

No

No

No

No

NVIDIA limitation.

CKA_ID

Yes

Yes

Yes

Yes

Yes

NVIDIA limitation. Set a single attribute at a time.

CKA_SENSITIVE

No

No

No

No

No

NVIDIA limitation.

CKA_ENCRYPT

No

No

No

No

No

NVIDIA limitation. Observe single purpose immutability rule.

CKA_DECRYPT

No

No

No

No

No

NVIDIA limitation. Observe single purpose immutability rule.

CKA_WRAP

No

No

No

No

No

NVIDIA limitation. Observe single purpose immutability rule.

CKA_UNWRAP

No

No

No

No

No

NVIDIA limitation. Observe single purpose immutability rule.

CKA_SIGN

No

No

No

No

No

NVIDIA limitation. Observe single purpose immutability rule.

CKA_SIGN_RECOVER

No

No

No

No

No

NVIDIA limitation.

CKA_VERIFY

No

No

No

No

No

NVIDIA limitation. Observe single purpose immutability rule.

CKA_VERIFY_RECOVER

No

No

No

No

No

NVIDIA limitation.

CKA_DERIVE

No

No

No

No

No

NVIDIA limitation. Observe single purpose immutability rule.

CKA_START_DATE

No

No

No

No

No

NVIDIA limitation.

CKA_END_DATE

No

No

No

No

No

NVIDIA limitation.

CKA_PUBLIC_KEY_INFO

No

No

No

No

No

NVIDIA limitation.

CKA_EXTRACTABLE

No

No

No

No

No

NVIDIA limitation.

CKA_NVIDIA_USER_NONCE

No

No

No

No

No

Get Attributes Support#

The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type.

Table Entry

Meaning

Yes

Indicates that PKCS#11 Library supports the attribute for the specific key type.

No

Indicates that PKCS#11 Library does not support the attribute for the specific key type.

No Get

Indicates that the attribute is sensitive and cannot be revealed.

C_GetAttributeValue

Attributes

Key Type

Note

EC Private

EC Public

RSA Public

Generic Secret

AES

CKA_CLASS

Yes

Yes

Yes

Yes

Yes

CKA_TOKEN

Yes

Yes

Yes

Yes

Yes

CKA_PRIVATE

Yes

Yes

Yes

Yes

Yes

CKA_LABEL

Yes

Yes

Yes

Yes

Yes

CKA_VALUE

No

No

No

No Get

No Get

NVIDIA limitation. Attribute always sensitive and not returned.

CKA_TRUSTED

No

Yes

Yes

Yes

Yes

CKA_CHECK_VALUE

No

No

No

No

No

NVIDIA limitation. Attribute not supported.

CKA_KEY_TYPE

Yes

Yes

Yes

Yes

Yes

CKA_SUBJECT

No

No

No

No

No

NVIDIA limitation. Attribute not supported.

CKA_ID

Yes

Yes

Yes

Yes

Yes

CKA_SENSITIVE

Yes

No

No

Yes

Yes

CKA_ENCRYPT

No

Yes

Yes

No

Yes

CKA_DECRYPT

Yes

No

No

No

Yes

CKA_WRAP

No

Yes

Yes

No

Yes

CKA_UNWRAP

Yes

No

No

No

Yes

CKA_SIGN

Yes

No

No

Yes

Yes

CKA_SIGN_RECOVER

No

No

No

No

No

NVIDIA limitation. Attribute not supported for Private keys.

CKA_VERIFY

No

Yes

Yes

Yes

Yes

CKA_VERIFY_RECOVER

No

No

No

No

No

NVIDIA limitation. Attribute not supported for public keys.

CKA_DERIVE

Yes

Yes

Yes

Yes

Yes

CKA_START_DATE

Yes

Yes

Yes

Yes

Yes

CKA_END_DATE

Yes

Yes

Yes

Yes

Yes

CKA_MODULUS

No

No

Yes

No

No

CKA_MODULUS_BITS

No

No

Yes

No

No

CKA_PUBLIC_EXPONENT

No

No

Yes

No

No

CKA_PUBLIC_KEY_INFO

No

No

No

No

No

NVIDIA limitation. Attribute not supported for public keys.

CKA_VALUE_LEN

No

No

No

Yes

Yes

CKA_EXTRACTABLE

Yes

No

No

Yes

Yes

CKA_LOCAL

Yes

Yes

Yes

Yes

Yes

CKA_NEVER_EXTRACTABLE

Yes

No

No

Yes

Yes

CKA_ALWAYS_SENSITIVE

Yes

No

No

Yes

Yes

CKA_KEY_GEN_MECHANISM

Yes

Yes

Yes

Yes

Yes

Contains a valid value only if CKA_LOCAL is TRUE. Else is CK_UNAVAILABLE_INFORMATION.

CKA_MODIFIABLE

Yes

Yes

Yes

Yes

Yes

CKA_COPYABLE

Yes

Yes

Yes

Yes

Yes

CKA_DESTROYABLE

Yes

Yes

Yes

Yes

Yes

CKA_EC_PARAMS

Yes

Yes

No

No

No

NVIDIA limitation. Contains CK_UNAVAILABLE_INFORMATION.

CKA_EC_POINT

No

Yes

No

No

No

CKA_WRAP_WITH_TRUSTED

Yes

No

No

Yes

Yes

CKA_WRAP_TEMPLATE

No

No

No

No

No

NVIDIA limitation. Not supported.

CKA_UNWRAP_TEMPLATE

No

No

No

No

No

NVIDIA limitation. Not supported.

CKA_ALLOWED_MECHANISMS

Yes

Yes

Yes

Yes

Yes

CKA_ALWAYS_AUTHENTICATE

No

No

No

No

No

NVIDIA limitation. Not supported.

CKA_NVIDIA_USER_NONCE

No

No

No

Yes

Yes

Create Data Object Attributes Support#

The following table indicates whether a given attribute in a template is supported for a Data Object being created.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for a Data Object.

No

Indicates that PKCS#11 library does not support the attribute for a Data Object.

Read-only

The attribute is set to read-only for a Data Object.

An empty cell in Default Value column indicates that there is no specific value assigned to the attribute.

(Result of library function)

Indicates that the attribute value is determined by the PKCS#11 library

C_CreateObject

Attributes

Data Object

Default Value

Note

CKA_CLASS

Yes

CKO_DATA

Mandatory template attribute.

CKA_TOKEN

Yes

FALSE

CKA_PRIVATE

Read-only

TRUE

NVIDIA limitation. All objects are private.

CKA_LABEL

Yes

CKA_VALUE

Yes

CKA_ID

Yes

NVIDIA limitation. Mandatory template attribute.

CKA_VALUE_LEN

Read-only

(Result of library function)

Must not be template attribute.

CKA_MODIFIABLE

Yes

TRUE

CKA_COPYABLE

Yes

TRUE

CKA_DESTROYABLE

Yes

TRUE

CKA_APPLICATION

Yes

CKA_OBJECT_ID

Yes

Copy Data Object Attributes Support#

The table below indicates whether a given attribute in a template is supported for a Data Object being copied.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for a Data Object.

No

Indicates that PKCS#11 library does not support the attribute for a Data Object.

Read-only

The attribute is set to read-only for a Data Object.

An empty cell in Default Value column indicates that there is no specific value assigned to the attribute.

(Result of library function)

Indicates that the PKCS#11 library determines the attribute value.

C_CopyObject

Attributes

Data Object

Default Value

Note

CKA_CLASS

Read-only

Inherited from Object being copied

CKA_TOKEN

Read-only

Inherited from Object being copied

CKA_PRIVATE

Read-only

Inherited from Object being copied

CKA_LABEL

Yes

Inherited from Object being copied

CKA_VALUE

Yes

Inherited from Object being copied

CKA_ID

Yes

NVIDIA limitation. Mandatory template attribute.

CKA_VALUE_LEN

Read-only

Inherited from Object being copied

CKA_MODIFIABLE

Read-only

Inherited from Object being copied

CKA_COPYABLE

Read-only

Inherited from Object being copied

CKA_DESTROYABLE

Read-only

Inherited from Object being copied

CKA_APPLICATION

Read-only

Inherited from Object being copied

CKA_OBJECT_ID

Read-only

Inherited from Object being copied

Set Data Object Attributes Support#

The following table below indicates whether a given attribute in a template is supported for a Data Object set attribute operation after being created.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports set attribute for a Data Object.

No

Indicates that PKCS#11 library does not support set attribute for a Data Object.

C_SetAttributeValue

Attributes

Data Object

Note

CKA_LABEL

Yes

NVIDIA limitation. Set a single attribute at a time.

CKA_VALUE

Yes

NVIDIA limitation. Set a single attribute at a time.

CKA_ID

Yes

NVIDIA limitation. Set a single attribute at a time.

CKA_APPLICATION

No

CKA_OBJECT_ID

No

Get Data Object Attributes Support#

The following table indicates whether a given attribute in a template is supported for a Data Object attribute being fetched after creation.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for a Data Object.

No

Indicates that PKCS#11 library does not support the attribute for a Data Object.

C_GetAttributeValue

Attributes

Data Object

Note

CKA_CLASS

Yes

CKA_TOKEN

Yes

CKA_PRIVATE

Yes

CKA_LABEL

Yes

CKA_VALUE

Yes

CKA_ID

Yes

CKA_VALUE_LEN

Yes

CKA_MODIFIABLE

Yes

CKA_COPYABLE

Yes

CKA_DESTROYABLE

Yes

CKA_APPLICATION

Yes

CKA_OBJECT_ID

Yes

Key Exclusive Usage Rules#

PKCS#11 library limits key usage attributes such that a key is only usable for a single purpose, or for a single class of purposes. The following purposes and purpose combinations are valid:

  • Encryption (CKA_ENCRYPT)

  • Decryption (CKA_DECRYPT)

  • Encryption and decryption (CKA_ENCRYPT | CKA_DECRYPT)

  • Signature generation (CKA_SIGN)

  • Signature verification (CKA_VERIFY)

  • Signature generation and verification (CKA_SIGN | CKA_VERIFY)

  • Key unwrapping (CKA_UNWRAP)

  • Key wrapping (CKA_WRAP)

  • Key unwrapping and wrapping (CKA_UNWRAP | CKA_WRAP)

  • Key derivation (CKA_DERIVE)

Key Usage Immutability#

PKCS#11 library does not allow modification of key usage attributes after key creation.

CKA_ID#

PKCS#11 library requires that any CKA_ID generated by the client application satisfies the following constraints:

  • A byte array of CK_BYTEs must be padded with space character to 32 bytes

  • No NULL character

  • Must not start with “NV”

  • Unique

Returns CKR_ATTRIBUTE_VALUE_INVALID if any of these conditions are not met.

CKA_LABEL#

PKCS#11 library requires that any CKA_LABEL provided by the client application satisfies the following constraints:

  • A byte array of 32 CK_BYTES

  • No NULL character

Attribute Repeated in Template#

PKCS#11 library returns CKR_TEMPLATE_INCONSISTENT if a template for an object specifies the same attribute more than once.

Surplus Attributes in Template#

PKCS#11 library returns CKR_TEMPLATE_INCONSISTENT if a template for an object specifies attributes surplus to expectation.

Unwrap Template Not Supported#

The attribute CKA_UNWRAP_TEMPLATE is not supported.

Wrap Template Not Supported#

The attribute CKA_WRAP_TEMPLATE is not supported.

Unique ID Not Supported#

The attribute CKA_UNIQUE_ID is not supported.