PKCS#11 – Supported Mechanism – Function Table per Token#

CCPLEX Token Table (Safety and Dynamic):

Mechanism type

Allowed operations

Allowed key types (Used by or supplied to the mechanism)

Allowed key sizes (Used by or supplied to the mechanism)

Update allowed (True means data supplied over multiple parts supported)

Notes

CKM_SHA256

CKF_DIGEST

True

CKM_SHA384

CKF_DIGEST

True

CKM_SHA512

CKF_DIGEST

True

CKM_SHA3_256

CKF_DIGEST

True

CKM_SHA3_384

CKF_DIGEST

True

CKM_SHA3_512

CKF_DIGEST

True

CKM_SHA256_HMAC

CKF_SIGN CKF_VERIFY CKF_MESSAGE_SIGN CKF_MESSAGE_VERIFY

CKK_GENERIC_SECRET

32B

False

NIST [FIPS 180-4] NIST [FIPS 198-1]

CKM_AES_CBC

CKF_ENCRYPT CKF_DECRYPT CKF_MESSAGE_ENCRYPT CKF_MESSAGE_DECRYPT CKF_WRAP CKF_UNWRAP

CKK_AES

16B 32B

True

Wrap/Unwrap only supported for secret and private keys.

Wrap/Unwrap not supported for token (persistent) objects.

NIST [SP 800-38A] NIST [FIPS 197]

CKM_AES_CBC_PAD

CKF_ENCRYPT CKF_DECRYPT CKF_MESSAGE_ENCRYPT CKF_MESSAGE_DECRYPT

CKK_AES

16B 32B

True

NIST [SP 800-38A] NIST [FIPS 197]

CKM_AES_CTR

CKF_ENCRYPT CKF_DECRYPT CKF_MESSAGE_ENCRYPT CKF_MESSAGE_DECRYPT

CKK_AES

16B 32B

True

NIST [SP 800-38A] NIST [FIPS 197]

CKM_AES_GCM

CKF_UNWRAP CKF_ENCRYPT CKF_DECRYPT CKF_MESSAGE_ENCRYPT CKF_MESSAGE_DECRYPT

CKK_AES

16B 32B

False

Only 96-bit IVs supported. NIST [SP 800-38D], NIST [FIPS 197]

CKM_AES_CMAC

CKF_SIGN CKF_VERIFY CKF_MESSAGE_SIGN CKF_MESSAGE_VERIFY

CKK_AES

16B 32B

False

NIST [SP 800-38B] NIST [FIPS 197]

CKM_AES_GMAC

CKF_MESSAGE_SIGN CKF_MESSAGE_VERIFY

CKK_AES

16B 32B

True

NIST [SP 800-38D] NIST [FIPS 197]

CKM_RSA_PKCS_PSS

CKF_VERIFY

CKK_RSA

384B 512B

False

Only 3072 and 4096-bit modulus sizes supported. SHA-256, SHA-384 and SHA-512 [FIPS 180-4] are supported for both the hash algorithm and Mask Generating Function (MGF1) [PKCS1-v2.2]

CKM_RSA_PKCS

CKF_VERIFY

CKK_RSA

256B

False

Only 2048-bit modulus sizes supported

CKM_ECDSA

CKF_SIGN CKF_VERIFY

CKK_EC

False

Uses curve secp256r1 [SEC2-V2] Message must be prehashed using secure hash algorithm SHA-256 [FIPS 180-4]

CKM_EDDSA

CKF_SIGN CKF_VERIFY

CKK_EC_EDWARDS

False

Uses curve Curve25519 Variants supported are Ed25519 and Ed25519ph [RFC 8032]

CKM_SP800_108_COUNTER_KDF

CKF_DERIVE

CKK_AES CKK_GENERIC_SECRET

16B 32B

PRF variants supported are CKM_AES_CMAC [FIPS 197] and CKM_SHA256_HMAC [FIPS 198-1][FIPS 180-4]

CKM_ECDH1_DERIVE

CKF_DERIVE

CKK_EC CKK_EC_MONTGOMERY

Derives either a CKK_GENERIC_SECRET or CKK_AES with a base key on Curve25519 or secp256r1. Only valid with private base key. The derived key cannot be a token (persistent) objects

CKM_AES_KEY_GEN

CKF_GENERATE

Generates 16B or 32B keys

CKM_GENERIC_SECRET_KEY_GEN

CKF_GENERATE

Generates 16B or 32B keys

CKM_EC_EDWARDS_KEY_PAIR_GEN

CKF_GENERATE_KEY_PAIR

Generates EC public/private key pairs using Curve25519 in the Edwards form for Ed25519/Ed25519ph

CKM_EC_MONTGOMERY_KEY_PAIR_GEN

CKF_GENERATE_KEY_PAIR

Generates EC public/private key pairs using Curve25519 in the Montgomery form for ECDH

CKM_EC_KEY_PAIR_GEN

CKF_GENERATE_KEY_PAIR

Generates EC public/private key pairs using secp256r1 for ECDH or ECDSA [FIPS 186-4 Appendix B.4.2]

CKM_NVIDIA_AES_CBC_KEY_DATA_WRAP

CKF_WRAP

CKK_AES

16B 32B

Custom mechanism for camera authentication

CKM_NVIDIA_SP800_56C_TWO_STEPS_KDF

CKF_DERIVE

CKK_AES CKK_GENERIC_SECRET

16B 32B

Custom mechanism for camera authentication

CKM_NVIDIA_MACSEC_AES_KEY_WRAP

CKF_WRAP CKF_UNWRAP

CKK_AES

Custom mechanism for MACSEC Only supported on CCPLEX 13

CKM_NVIDIA_PSC_AES_CMAC

CKF_SIGN CKF_VERIFY CKF_MESSAGE_SIGN CKF_MESSAGE_VERIFY

CKK_AES

16B 32B

False

Custom mechanism for MACSEC Only supported on CCPLEX 13

CKM_TLS12_MASTER_KEY_DERIVE_DH

CKF_DERIVE

CKK_GENERIC_SECRET

Derives 48B keys. PRF supported is CKM_SHA256_HMAC. To be used only with ECDH outputs as base key. Not valid for token (persistent) base or derived keys

CKM_TLS12_KDF

CKF_DERIVE

CKK_GENERIC_SECRET

48B

Derives 16B or 32B keys from CKK_GENERIC_SECRET key of 48B. PRF supported is CKM_SHA256_HMAC. Not valid for token (persistent) base or derived keys

CKM_TLS12_MAC

CKF_SIGN CKF_VERIFY

CKK_GENERIC_SECRET

48B

False

PRF supported is CKM_SHA256_HMAC

CKM_TLS12_KEY_AND_MAC_DERIVE

CKF_DERIVE

CKK_GENERIC_SECRET

48B

Derives 16B or 32B keys from CKK_GENERIC_SECRET key of 48B. PRF supported is CKM_SHA256_HMAC. Not valid for token (persistent) base or derived keys

CKM_TLS12_KEY_SAFE_DERIVE

CKF_DERIVE

CKK_GENERIC_SECRET

48B

Derives 16B or 32B keys from CKK_GENERIC_SECRET key of 48B. PRF supported is CKM_SHA256_HMAC. Not valid for token (persistent) base or derived keys

CKM_NVIDIA_AES_GCM_KEY_UNWRAP

CKF_UNWRAP

CKK_AES

16B 32B

Custom mechanism for unwrapping keys where the key attributes are supplied via the Additional Authenticated Data (AAD) input

CKM_RSA_PKCS_OAEP

CKF_WRAP

CKK_RSA

256B

Only 2048-bit modulus sizes supported

CKM_NVIDIA_OX5B_SHA256_KEY_DERIVATION

CKF_DERIVE

CKK_GENERIC_SECRET

32B

Custom mechanism for camera authentication. The base key must be extractable or not sensitive

CKM_NVIDIA_SP800_56A_ONE_STEP_KDF

CKF_DERIVE

CKK_GENERIC_SECRET

32B

TSEC Dynamic Token Table

Mechanism type

Allowed operations

Allowed key types (Used by or supplied to the mechanism)

Allowed key sizes (Used by or supplied to the mechanism)

Update allowed (True means data supplied over multiple parts supported)

Notes

CKM_SP800_108_COUNTER_KDF

CKF_DERIVE

CKK_AES CKK_GENERIC_SECRET

16B

PRF supported is CKM_AES_CMAC [FIPS 197]

CKM_AES_GCM

CKF_UNWRAP

CKK_AES

16B

CKM_NVIDIA_AES_GCM_KEY_UNWRAP

CKF_UNWRAP

CKK_AES

16B

Custom mechanism for unwrapping keys where the key attributes are supplied via the Additional Authenticated Data (AAD) input

TSEC Safety Token Table

Mechanism type

Allowed operations

Allowed key types (Used by or supplied to the mechanism)

Allowed key sizes (Used by or supplied to the mechanism)

Update allowed (True means data supplied over multiple parts supported)

Notes

CKM_AES_CMAC

CKF_SIGN CKF_VERIFY

CKK_AES

16B

False

NIST [SP 800-38B] NIST [FIPS 197]

TSECRADAR Dynamic Token Table

Mechanism type

Allowed operations

Allowed key types (Used by or supplied to the mechanism)

Allowed key sizes (Used by or supplied to the mechanism)

Update allowed (True means data supplied over multiple parts supported)

Notes

CKM_SP800_108_COUNTER_KDF

CKF_DERIVE

CKK_AES CKK_GENERIC_SECRET

16B 32B

PRF supported is CKM_AES_CMAC [FIPS 197]

CKM_AES_GCM

CKF_UNWRAP

CKK_AES

16B 32B

CKM_NVIDIA_AES_GCM_KEY_UNWRAP

CKF_UNWRAP

CKK_AES

16B 32B

Custom mechanism for unwrapping keys where the key attributes are supplied via the Additional Authenticated Data (AAD) input

CKM_EC_MONTGOMERY_KEY_PAIR_GEN

CKF_GENERATE_KEY_PAIR

Generates EC public/private key pairs using Curve25519 in the Montgomery form for ECDH

CKM_EC_KEY_PAIR_GEN

CKF_GENERATE_KEY_PAIR

Generates EC public/private key pairs using secp256r1 for ECDH or ECDSA [FIPS 186-4 Appendix B.4.2]

TSECRADAR Safety Token Table

Mechanism type

Allowed operations

Allowed key types (Used by or supplied to the mechanism)

Allowed key sizes (Used by or supplied to the mechanism)

Update allowed (True means data supplied over multiple parts supported)

Notes

CKM_EDDSA

CKF_SIGN CKF_VERIFY

CKK_EC_EDWARDS

False

Uses curve Curve25519 Variants supported are Ed25519 and Ed25519ph [RFC 8032]

CKM_NVIDIA_TSECRADAR_AES_CMAC

CKF_SIGN CKF_VERIFY

CKK_AES

16B

False

TSECRADAR-specific drop-in replacement for CKM_AES_CMAC. NIST [SP 800-38B] NIST [FIPS 197]

CKM_SP800_108_COUNTER_KDF

CKF_DERIVE

CKK_AES CKK_GENERIC_SECRET

16B 32B

PRF variants supported are CKM_AES_CMAC [FIPS 197] and CKM_SHA256_HMAC [FIPS 198-1][FIPS 180-4]

CKM_EC_MONTGOMERY_KEY_PAIR_GEN

CKF_GENERATE_KEY_PAIR

Generates EC public/private key pairs using Curve25519 in the Montgomery form for ECDH

CKM_ECDH1_DERIVE

CKF_DERIVE

CKK_EC CKK_EC_MONTGOMERY

Derives either a CKK_GENERIC_SECRET or CKK_AES with a base key on Curve25519 or secp256r1. Only valid with private base key. The derived key cannot be a token (persistent) object

CKM_NVIDIA_SP800_56A_ONE_STEP_KDF

CKF_DERIVE

CKK_GENERIC_SECRET

32B

Custom mechanism for radar. Requires two base keys.

CKM_AES_GCM

CKF_UNWRAP

CKK_AES

16B 32B

CKM_NVIDIA_AES_GCM_KEY_UNWRAP

CKF_UNWRAP

CKK_AES

16B 32B

Custom mechanism for unwrapping keys where the key attributes are supplied via the Additional Authenticated Data (AAD) input

CKM_ECDSA

CKF_SIGNCKF_VERIFY

CKK_EC

False

Uses curve secp256r1 [SEC2-V2] Message must be prehashed using secure hash algorithm SHA-256 [FIPS 180-4]

CKM_EC_KEY_PAIR_GEN

CKF_GENERATE_KEY_PAIR

Generates EC public/private key pairs using secp256r1 for ECDH or ECDSA [FIPS 186-4 Appendix B.4.2]

FSI Dynamic Token Table

Mechanism type

Allowed operations

Allowed key types (Used by or supplied to the mechanism)

Allowed key sizes (Used by or supplied to the mechanism)

Update allowed (True means data supplied over multiple parts supported)

Notes

CKM_SP800_108_COUNTER_KDF

CKF_DERIVE

CKK_AES CKK_GENERIC_SECRET

16B 32B

PRF variants supported are CKM_AES_CMAC [FIPS 197] and CKM_SHA256_HMAC [FIPS 198-1][FIPS 180-4]

CKM_AES_KEY_GEN

CKF_GENERATE

Generates 16 or 32 byte keys

CKM_GENERIC_SECRET_KEY_GEN

CKF_GENERATE

Generates 16 or 32 byte keys

CKM_AES_GCM

CKF_UNWRAP

CKK_AES

16B 32B

CKM_NVIDIA_AES_GCM_KEY_UNWRAP

CKF_UNWRAP

CKK_AES

16B 32B

Custom mechanism for unwrapping keys where the key attributes are supplied via the Additional Authenticated Data (AAD) input

CKM_EC_EDWARDS_KEY_PAIR_GEN

CKF_GENERATE_KEY_PAIR

Generates EC public/private key pairs using Curve25519 in the Edwards form for Ed25519/Ed25519ph

CKM_EC_MONTGOMERY_KEY_PAIR_GEN

CKF_GENERATE_KEY_PAIR

Generates EC public/private key pairs using Curve25519 in the Montgomery form for ECDH

CKM_EC_KEY_PAIR_GEN

CKF_GENERATE_KEY_PAIR

Generates EC public/private key pairs using secp256r1 for ECDH or ECDSA [FIPS 186-4 Appendix B.4.2]

CKM_ECDH1_DERIVE

CKF_DERIVE

CKK_EC CKK_EC_MONTGOMERY

Derives either a CKK_GENERIC_SECRET or CKK_AES with a base key on Curve25519 or secp256r1. Only valid with private base key. The derived key cannot be a token (persistent) object