PKCS#11 – Supported Mechanism – Function Table per Token#
CCPLEX Token Table (Safety and Dynamic): |
|||||
|---|---|---|---|---|---|
Mechanism type |
Allowed operations |
Allowed key types (Used by or supplied to the mechanism) |
Allowed key sizes (Used by or supplied to the mechanism) |
Update allowed (True means data supplied over multiple parts supported) |
Notes |
CKM_SHA256 |
CKF_DIGEST |
True |
|||
CKM_SHA384 |
CKF_DIGEST |
True |
|||
CKM_SHA512 |
CKF_DIGEST |
True |
|||
CKM_SHA3_256 |
CKF_DIGEST |
True |
|||
CKM_SHA3_384 |
CKF_DIGEST |
True |
|||
CKM_SHA3_512 |
CKF_DIGEST |
True |
|||
CKM_SHA256_HMAC |
CKF_SIGN CKF_VERIFY CKF_MESSAGE_SIGN CKF_MESSAGE_VERIFY |
CKK_GENERIC_SECRET |
32B |
False |
NIST [FIPS 180-4] NIST [FIPS 198-1] |
CKM_AES_CBC |
CKF_ENCRYPT CKF_DECRYPT CKF_MESSAGE_ENCRYPT CKF_MESSAGE_DECRYPT CKF_WRAP CKF_UNWRAP |
CKK_AES |
16B 32B |
True |
Wrap/Unwrap only supported for secret and private keys. Wrap/Unwrap not supported for token (persistent) objects. NIST [SP 800-38A] NIST [FIPS 197] |
CKM_AES_CBC_PAD |
CKF_ENCRYPT CKF_DECRYPT CKF_MESSAGE_ENCRYPT CKF_MESSAGE_DECRYPT |
CKK_AES |
16B 32B |
True |
NIST [SP 800-38A] NIST [FIPS 197] |
CKM_AES_CTR |
CKF_ENCRYPT CKF_DECRYPT CKF_MESSAGE_ENCRYPT CKF_MESSAGE_DECRYPT |
CKK_AES |
16B 32B |
True |
NIST [SP 800-38A] NIST [FIPS 197] |
CKM_AES_GCM |
CKF_UNWRAP CKF_ENCRYPT CKF_DECRYPT CKF_MESSAGE_ENCRYPT CKF_MESSAGE_DECRYPT |
CKK_AES |
16B 32B |
False |
Only 96-bit IVs supported. NIST [SP 800-38D], NIST [FIPS 197] |
CKM_AES_CMAC |
CKF_SIGN CKF_VERIFY CKF_MESSAGE_SIGN CKF_MESSAGE_VERIFY |
CKK_AES |
16B 32B |
False |
NIST [SP 800-38B] NIST [FIPS 197] |
CKM_AES_GMAC |
CKF_MESSAGE_SIGN CKF_MESSAGE_VERIFY |
CKK_AES |
16B 32B |
True |
NIST [SP 800-38D] NIST [FIPS 197] |
CKM_RSA_PKCS_PSS |
CKF_VERIFY |
CKK_RSA |
384B 512B |
False |
Only 3072 and 4096-bit modulus sizes supported. SHA-256, SHA-384 and SHA-512 [FIPS 180-4] are supported for both the hash algorithm and Mask Generating Function (MGF1) [PKCS1-v2.2] |
CKM_RSA_PKCS |
CKF_VERIFY |
CKK_RSA |
256B |
False |
Only 2048-bit modulus sizes supported |
CKM_ECDSA |
CKF_SIGN CKF_VERIFY |
CKK_EC |
False |
Uses curve secp256r1 [SEC2-V2] Message must be prehashed using secure hash algorithm SHA-256 [FIPS 180-4] |
|
CKM_EDDSA |
CKF_SIGN CKF_VERIFY |
CKK_EC_EDWARDS |
False |
Uses curve Curve25519 Variants supported are Ed25519 and Ed25519ph [RFC 8032] |
|
CKM_SP800_108_COUNTER_KDF |
CKF_DERIVE |
CKK_AES CKK_GENERIC_SECRET |
16B 32B |
PRF variants supported are CKM_AES_CMAC [FIPS 197] and CKM_SHA256_HMAC [FIPS 198-1][FIPS 180-4] |
|
CKM_ECDH1_DERIVE |
CKF_DERIVE |
CKK_EC CKK_EC_MONTGOMERY |
Derives either a CKK_GENERIC_SECRET or CKK_AES with a base key on Curve25519 or secp256r1. Only valid with private base key. The derived key cannot be a token (persistent) objects |
||
CKM_AES_KEY_GEN |
CKF_GENERATE |
Generates 16B or 32B keys |
|||
CKM_GENERIC_SECRET_KEY_GEN |
CKF_GENERATE |
Generates 16B or 32B keys |
|||
CKM_EC_EDWARDS_KEY_PAIR_GEN |
CKF_GENERATE_KEY_PAIR |
Generates EC public/private key pairs using Curve25519 in the Edwards form for Ed25519/Ed25519ph |
|||
CKM_EC_MONTGOMERY_KEY_PAIR_GEN |
CKF_GENERATE_KEY_PAIR |
Generates EC public/private key pairs using Curve25519 in the Montgomery form for ECDH |
|||
CKM_EC_KEY_PAIR_GEN |
CKF_GENERATE_KEY_PAIR |
Generates EC public/private key pairs using secp256r1 for ECDH or ECDSA [FIPS 186-4 Appendix B.4.2] |
|||
CKM_NVIDIA_AES_CBC_KEY_DATA_WRAP |
CKF_WRAP |
CKK_AES |
16B 32B |
Custom mechanism for camera authentication |
|
CKM_NVIDIA_SP800_56C_TWO_STEPS_KDF |
CKF_DERIVE |
CKK_AES CKK_GENERIC_SECRET |
16B 32B |
Custom mechanism for camera authentication |
|
CKM_NVIDIA_MACSEC_AES_KEY_WRAP |
CKF_WRAP CKF_UNWRAP |
CKK_AES |
Custom mechanism for MACSEC Only supported on CCPLEX 13 |
||
CKM_NVIDIA_PSC_AES_CMAC |
CKF_SIGN CKF_VERIFY CKF_MESSAGE_SIGN CKF_MESSAGE_VERIFY |
CKK_AES |
16B 32B |
False |
Custom mechanism for MACSEC Only supported on CCPLEX 13 |
CKM_TLS12_MASTER_KEY_DERIVE_DH |
CKF_DERIVE |
CKK_GENERIC_SECRET |
Derives 48B keys. PRF supported is CKM_SHA256_HMAC. To be used only with ECDH outputs as base key. Not valid for token (persistent) base or derived keys |
||
CKM_TLS12_KDF |
CKF_DERIVE |
CKK_GENERIC_SECRET |
48B |
Derives 16B or 32B keys from CKK_GENERIC_SECRET key of 48B. PRF supported is CKM_SHA256_HMAC. Not valid for token (persistent) base or derived keys |
|
CKM_TLS12_MAC |
CKF_SIGN CKF_VERIFY |
CKK_GENERIC_SECRET |
48B |
False |
PRF supported is CKM_SHA256_HMAC |
CKM_TLS12_KEY_AND_MAC_DERIVE |
CKF_DERIVE |
CKK_GENERIC_SECRET |
48B |
Derives 16B or 32B keys from CKK_GENERIC_SECRET key of 48B. PRF supported is CKM_SHA256_HMAC. Not valid for token (persistent) base or derived keys |
|
CKM_TLS12_KEY_SAFE_DERIVE |
CKF_DERIVE |
CKK_GENERIC_SECRET |
48B |
Derives 16B or 32B keys from CKK_GENERIC_SECRET key of 48B. PRF supported is CKM_SHA256_HMAC. Not valid for token (persistent) base or derived keys |
|
CKM_NVIDIA_AES_GCM_KEY_UNWRAP |
CKF_UNWRAP |
CKK_AES |
16B 32B |
Custom mechanism for unwrapping keys where the key attributes are supplied via the Additional Authenticated Data (AAD) input |
|
CKM_RSA_PKCS_OAEP |
CKF_WRAP |
CKK_RSA |
256B |
Only 2048-bit modulus sizes supported |
|
CKM_NVIDIA_OX5B_SHA256_KEY_DERIVATION |
CKF_DERIVE |
CKK_GENERIC_SECRET |
32B |
Custom mechanism for camera authentication. The base key must be extractable or not sensitive |
|
CKM_NVIDIA_SP800_56A_ONE_STEP_KDF |
CKF_DERIVE |
CKK_GENERIC_SECRET |
32B |
TSEC Dynamic Token Table |
|||||
|---|---|---|---|---|---|
Mechanism type |
Allowed operations |
Allowed key types (Used by or supplied to the mechanism) |
Allowed key sizes (Used by or supplied to the mechanism) |
Update allowed (True means data supplied over multiple parts supported) |
Notes |
CKM_SP800_108_COUNTER_KDF |
CKF_DERIVE |
CKK_AES CKK_GENERIC_SECRET |
16B |
PRF supported is CKM_AES_CMAC [FIPS 197] |
|
CKM_AES_GCM |
CKF_UNWRAP |
CKK_AES |
16B |
||
CKM_NVIDIA_AES_GCM_KEY_UNWRAP |
CKF_UNWRAP |
CKK_AES |
16B |
Custom mechanism for unwrapping keys where the key attributes are supplied via the Additional Authenticated Data (AAD) input |
TSEC Safety Token Table |
|||||
|---|---|---|---|---|---|
Mechanism type |
Allowed operations |
Allowed key types (Used by or supplied to the mechanism) |
Allowed key sizes (Used by or supplied to the mechanism) |
Update allowed (True means data supplied over multiple parts supported) |
Notes |
CKM_AES_CMAC |
CKF_SIGN CKF_VERIFY |
CKK_AES |
16B |
False |
NIST [SP 800-38B] NIST [FIPS 197] |
TSECRADAR Dynamic Token Table |
|||||
|---|---|---|---|---|---|
Mechanism type |
Allowed operations |
Allowed key types (Used by or supplied to the mechanism) |
Allowed key sizes (Used by or supplied to the mechanism) |
Update allowed (True means data supplied over multiple parts supported) |
Notes |
CKM_SP800_108_COUNTER_KDF |
CKF_DERIVE |
CKK_AES CKK_GENERIC_SECRET |
16B 32B |
PRF supported is CKM_AES_CMAC [FIPS 197] |
|
CKM_AES_GCM |
CKF_UNWRAP |
CKK_AES |
16B 32B |
||
CKM_NVIDIA_AES_GCM_KEY_UNWRAP |
CKF_UNWRAP |
CKK_AES |
16B 32B |
Custom mechanism for unwrapping keys where the key attributes are supplied via the Additional Authenticated Data (AAD) input |
|
CKM_EC_MONTGOMERY_KEY_PAIR_GEN |
CKF_GENERATE_KEY_PAIR |
Generates EC public/private key pairs using Curve25519 in the Montgomery form for ECDH |
|||
CKM_EC_KEY_PAIR_GEN |
CKF_GENERATE_KEY_PAIR |
Generates EC public/private key pairs using secp256r1 for ECDH or ECDSA [FIPS 186-4 Appendix B.4.2] |
TSECRADAR Safety Token Table |
|||||
|---|---|---|---|---|---|
Mechanism type |
Allowed operations |
Allowed key types (Used by or supplied to the mechanism) |
Allowed key sizes (Used by or supplied to the mechanism) |
Update allowed (True means data supplied over multiple parts supported) |
Notes |
CKM_EDDSA |
CKF_SIGN CKF_VERIFY |
CKK_EC_EDWARDS |
False |
Uses curve Curve25519 Variants supported are Ed25519 and Ed25519ph [RFC 8032] |
|
CKM_NVIDIA_TSECRADAR_AES_CMAC |
CKF_SIGN CKF_VERIFY |
CKK_AES |
16B |
False |
TSECRADAR-specific drop-in replacement for CKM_AES_CMAC. NIST [SP 800-38B] NIST [FIPS 197] |
CKM_SP800_108_COUNTER_KDF |
CKF_DERIVE |
CKK_AES CKK_GENERIC_SECRET |
16B 32B |
PRF variants supported are CKM_AES_CMAC [FIPS 197] and CKM_SHA256_HMAC [FIPS 198-1][FIPS 180-4] |
|
CKM_EC_MONTGOMERY_KEY_PAIR_GEN |
CKF_GENERATE_KEY_PAIR |
Generates EC public/private key pairs using Curve25519 in the Montgomery form for ECDH |
|||
CKM_ECDH1_DERIVE |
CKF_DERIVE |
CKK_EC CKK_EC_MONTGOMERY |
Derives either a CKK_GENERIC_SECRET or CKK_AES with a base key on Curve25519 or secp256r1. Only valid with private base key. The derived key cannot be a token (persistent) object |
||
CKM_NVIDIA_SP800_56A_ONE_STEP_KDF |
CKF_DERIVE |
CKK_GENERIC_SECRET |
32B |
Custom mechanism for radar. Requires two base keys. |
|
CKM_AES_GCM |
CKF_UNWRAP |
CKK_AES |
16B 32B |
||
CKM_NVIDIA_AES_GCM_KEY_UNWRAP |
CKF_UNWRAP |
CKK_AES |
16B 32B |
Custom mechanism for unwrapping keys where the key attributes are supplied via the Additional Authenticated Data (AAD) input |
|
CKM_ECDSA |
CKF_SIGNCKF_VERIFY |
CKK_EC |
False |
Uses curve secp256r1 [SEC2-V2] Message must be prehashed using secure hash algorithm SHA-256 [FIPS 180-4] |
|
CKM_EC_KEY_PAIR_GEN |
CKF_GENERATE_KEY_PAIR |
Generates EC public/private key pairs using secp256r1 for ECDH or ECDSA [FIPS 186-4 Appendix B.4.2] |
FSI Dynamic Token Table |
|||||
|---|---|---|---|---|---|
Mechanism type |
Allowed operations |
Allowed key types (Used by or supplied to the mechanism) |
Allowed key sizes (Used by or supplied to the mechanism) |
Update allowed (True means data supplied over multiple parts supported) |
Notes |
CKM_SP800_108_COUNTER_KDF |
CKF_DERIVE |
CKK_AES CKK_GENERIC_SECRET |
16B 32B |
PRF variants supported are CKM_AES_CMAC [FIPS 197] and CKM_SHA256_HMAC [FIPS 198-1][FIPS 180-4] |
|
CKM_AES_KEY_GEN |
CKF_GENERATE |
Generates 16 or 32 byte keys |
|||
CKM_GENERIC_SECRET_KEY_GEN |
CKF_GENERATE |
Generates 16 or 32 byte keys |
|||
CKM_AES_GCM |
CKF_UNWRAP |
CKK_AES |
16B 32B |
||
CKM_NVIDIA_AES_GCM_KEY_UNWRAP |
CKF_UNWRAP |
CKK_AES |
16B 32B |
Custom mechanism for unwrapping keys where the key attributes are supplied via the Additional Authenticated Data (AAD) input |
|
CKM_EC_EDWARDS_KEY_PAIR_GEN |
CKF_GENERATE_KEY_PAIR |
Generates EC public/private key pairs using Curve25519 in the Edwards form for Ed25519/Ed25519ph |
|||
CKM_EC_MONTGOMERY_KEY_PAIR_GEN |
CKF_GENERATE_KEY_PAIR |
Generates EC public/private key pairs using Curve25519 in the Montgomery form for ECDH |
|||
CKM_EC_KEY_PAIR_GEN |
CKF_GENERATE_KEY_PAIR |
Generates EC public/private key pairs using secp256r1 for ECDH or ECDSA [FIPS 186-4 Appendix B.4.2] |
|||
CKM_ECDH1_DERIVE |
CKF_DERIVE |
CKK_EC CKK_EC_MONTGOMERY |
Derives either a CKK_GENERIC_SECRET or CKK_AES with a base key on Curve25519 or secp256r1. Only valid with private base key. The derived key cannot be a token (persistent) object |