| PKCS#11 Function | Mechanism | Comment |
|---|---|---|
C_Initialize |
||
C_Finalize |
||
C_GetInfo |
||
C_GetFunctionList |
||
C_GetSlotList |
||
C_GetSlotInfo |
||
C_GetTokenInfo |
||
C_GetMechanismList |
||
C_GetMechanismInfo |
||
C_InitToken |
||
C_SetPIN |
||
C_OpenSession |
||
C_CloseSession |
||
C_CloseAllSessions |
||
C_GetSessionInfo |
||
C_Login |
||
C_Logout |
||
C_CreateObject |
With CKO_PRIVATE_KEY or CKO_CERTIFICATE |
|
C_DestroyObject |
||
C_GetObjectSize |
||
C_GetAttributeValue |
||
C_FindObjectsInit |
||
C_FindObjects |
||
C_FindObjectsFinal |
||
C_EncryptInit |
CKM_RSA_X_509, CKM_RSA_PKCS, CKM_RSA_PKCS_OAEP |
With RSA keys only. Uses OpenSSL encryption functions |
C_Encrypt |
With RSA keys only. Uses OpenSSL encryption functions |
|
C_EncryptUpdate |
With RSA keys only. Uses OpenSSL encryption functions |
|
C_EncryptFinal |
With RSA keys only. Uses OpenSSL encryption functions |
|
C_DecryptInit |
CKM_RSA_X_509, CKM_RSA_PKCS, CKM_RSA_PKCS_OAEP |
With RSA keys only. |
C_Decrypt |
With RSA keys only. |
|
C_DecryptUpdate |
With RSA keys only. |
|
C_DecryptFinal |
With RSA keys only. |
|
C_DigestInit |
CKM_SHA_1, CKM_SHA256, CKM_SHA384, CKM_SHA512 |
Uses OpenSSL digest functions |
C_Digest |
Uses OpenSSL digest functions |
|
C_DigestUpdate |
Uses OpenSSL digest functions |
|
C_DigestFinal |
Uses OpenSSL digest functions |
|
C_SignInit |
CKM_RSA_X_509, CKM_RSA_PKCS, CKM_SHA1_RSA_PKCS, CKM_SHA256_RSA_PKCS, CKM_SHA384_RSA_PKCS, CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS_PSS, CKM_SHA1_RSA_PKCS_PSS, CKM_SHA256_RSA_PKCS_PSS, CKM_SHA384_RSA_PKCS_PSS, CKM_SHA512_RSA_PKCS_PSS, CKM_ECDSA, CKM_ECDSA_SHA1, CKM_ECDSA_SHA224, CKM_ECDSA_SHA256, CKM_ECDSA_SHA384 |
|
C_Sign |
||
C_SignUpdate |
||
C_SignFinal |
||
C_VerifyInit |
CKM_RSA_X_509, CKM_RSA_PKCS, CKM_SHA1_RSA_PKCS, CKM_SHA256_RSA_PKCS, CKM_SHA384_RSA_PKCS, CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS_PSS, CKM_SHA1_RSA_PKCS_PSS, CKM_SHA256_RSA_PKCS_PSS, CKM_SHA384_RSA_PKCS_PSS, CKM_SHA512_RSA_PKCS_PSS, CKM_ECDSA, CKM_ECDSA_SHA1, CKM_ECDSA_SHA224, CKM_ECDSA_SHA256, CKM_ECDSA_SHA384 |
Uses OpenSSL verification functions |
C_Verify |
Uses OpenSSL verification functions |
|
C_VerifyUpdate |
Uses OpenSSL verification functions |
|
C_VerifyFinal |
Uses OpenSSL verification functions |
|
C_GenerateKeyPair |
CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_EC_KEY_PAIR_GEN |
Not all PKCS#11 Object types are implemented. This is a list of what is implemented and what it maps to.
| PKCS#11 | Supported CKK | Comment |
|---|---|---|
CKO_PRIVATE_KEY |
CKK_RSA, CKK_EC |
RSA 1024 and 2048 with e=0x10001, EC with secp256r1, secp384r1 |
CKO_PUBLIC_KEY |
Stored in X509 Certificates |
|
CKO_CERTIFICATE |
X509 Certificates containing either the public key or the attestation certificate |
|
CKO_DATA |
| Attribute | Private key object | Public key object | Certificate object | Data object |
|---|---|---|---|---|
CKA_CLASS |
X |
X |
X |
X |
CKA_ID |
X |
X |
X |
X |
CKA_TOKEN |
X |
X |
X |
X |
CKA_PRIVATE |
X |
X |
X |
X |
CKA_LABEL |
X |
X |
X |
X |
CKA_APPLICATION |
X |
|||
CKA_OBJECT_ID |
X |
|||
CKA_MODIFIABLE |
X |
X |
X |
X |
CKA_VALUE |
X |
X |
||
CKA_SUBJECT |
X |
|||
CKA_ISSUER |
X |
|||
CKA_SERIALNUMBER |
X |
|||
CKA_CERTIFICATE_TYPE |
X |
|||
KcA_TRUSTED |
X |
X |
||
CKA_KEY_TYPE |
X |
X |
||
CKA_SENSITIVE |
X |
|||
CKA_ALWAYS_SENSITIVE |
X |
|||
CKA_EXTRACTABLE |
X |
|||
CKA_NEVER_EXTRACTABLE |
X |
|||
CKA_LOCAL |
X |
X |
||
CKA_ENCRYPT |
X |
|||
CKA_DECRYPT |
X |
|||
CKA_WRAP |
X |
|||
CKA_UNWRAP |
X |
|||
CKA_SIGN |
X |
|||
CKA_VERIFY |
X |
|||
CKA_DERIVE |
X |
X |
||
CKA_MODULUS |
X |
X |
||
CKA_EC_POINT |
X |
X |
||
CKA_EC_PARAMS |
X |
X |
||
CKA_MODULUS_BITS |
X |
X |
||
CKA_PUBLIC_EXPONENT |
X |
X |
||
CKA_ALWAYS_AUTHENTICATE |
X |
Some applications, mainly Java, specify the keys to use by their key alias, which is refered to as a key’s label by PKCS#11. Objects' labels as access by YKCS11 are fixed values and are unmodifiable. Following is the list of object lables according to their object type and the slot they reside in (See PIV Certificate Slots for the slot usage).
| Slot | Private key | Public key | Certificate | Attestation certificate | Data object |
|---|---|---|---|---|---|
9a |
Private key for PIV Authentication |
Public key for PIV Authentication |
X.509 Certificate for PIV Authentication |
X.509 Certificate for PIV Attestation 9a |
X.509 Certificate for PIV Authentication |
9c |
Private key for Digital Signature |
Public key for Digital Signature |
X.509 Certificate for Digital Signature |
X.509 Certificate for PIV Attestation 9c |
X.509 Certificate for Digital Signature |
9d |
Private key for Key Management |
Public key for Key Management |
X.509 Certificate for Key Management |
X.509 Certificate for PIV Attestation 9d |
X.509 Certificate for Key Management |
9e |
Private key for Card Authentication |
Public key for Card Authentication |
X.509 Certificate for Card Authentication |
X.509 Certificate for PIV Attestation 9e |
X.509 Certificate for Card Authentication |
82 |
Private key for Retired Key 1 |
Public key for Retired Key 1 |
X.509 Certificate for Retired Key 1 |
X.509 Certificate for PIV Attestation 82 |
X.509 Certificate for Retired Key 1 |
83 |
Private key for Retired Key 2 |
Public key for Retired Key 2 |
X.509 Certificate for Retired Key 2 |
X.509 Certificate for PIV Attestation 83 |
X.509 Certificate for Retired Key 2 |
84 |
Private key for Retired Key 3 |
Public key for Retired Key 3 |
X.509 Certificate for Retired Key 3 |
X.509 Certificate for PIV Attestation 84 |
X.509 Certificate for Retired Key 3 |
85 |
Private key for Retired Key 4 |
Public key for Retired Key 4 |
X.509 Certificate for Retired Key 4 |
X.509 Certificate for PIV Attestation 85 |
X.509 Certificate for Retired Key 4 |
86 |
Private key for Retired Key 5 |
Public key for Retired Key 5 |
X.509 Certificate for Retired Key 5 |
X.509 Certificate for PIV Attestation 86 |
X.509 Certificate for Retired Key 5 |
87 |
Private key for Retired Key 6 |
Public key for Retired Key 6 |
X.509 Certificate for Retired Key 6 |
X.509 Certificate for PIV Attestation 87 |
X.509 Certificate for Retired Key 6 |
88 |
Private key for Retired Key 7 |
Public key for Retired Key 7 |
X.509 Certificate for Retired Key 7 |
X.509 Certificate for PIV Attestation 88 |
X.509 Certificate for Retired Key 7 |
89 |
Private key for Retired Key 8 |
Public key for Retired Key 8 |
X.509 Certificate for Retired Key 8 |
X.509 Certificate for PIV Attestation 89 |
X.509 Certificate for Retired Key 8 |
8a |
Private key for Retired Key 9 |
Public key for Retired Key 9 |
X.509 Certificate for Retired Key 9 |
X.509 Certificate for PIV Attestation 8a |
X.509 Certificate for Retired Key 9 |
8b |
Private key for Retired Key 10 |
Public key for Retired Key 10 |
X.509 Certificate for Retired Key 10 |
X.509 Certificate for PIV Attestation 8b |
X.509 Certificate for Retired Key 10 |
8c |
Private key for Retired Key 11 |
Public key for Retired Key 11 |
X.509 Certificate for Retired Key 11 |
X.509 Certificate for PIV Attestation 8c |
X.509 Certificate for Retired Key 11 |
8d |
Private key for Retired Key 12 |
Public key for Retired Key 12 |
X.509 Certificate for Retired Key 12 |
X.509 Certificate for PIV Attestation 8d |
X.509 Certificate for Retired Key 12 |
8e |
Private key for Retired Key 13 |
Public key for Retired Key 13 |
X.509 Certificate for Retired Key 13 |
X.509 Certificate for PIV Attestation 8e |
X.509 Certificate for Retired Key 13 |
8f |
Private key for Retired Key 14 |
Public key for Retired Key 14 |
X.509 Certificate for Retired Key 14 |
X.509 Certificate for PIV Attestation 8f |
X.509 Certificate for Retired Key 14 |
90 |
Private key for Retired Key 15 |
Public key for Retired Key 15 |
X.509 Certificate for Retired Key 15 |
X.509 Certificate for PIV Attestation 90 |
X.509 Certificate for Retired Key 15 |
91 |
Private key for Retired Key 16 |
Public key for Retired Key 16 |
X.509 Certificate for Retired Key 16 |
X.509 Certificate for PIV Attestation 91 |
X.509 Certificate for Retired Key 16 |
92 |
Private key for Retired Key 17 |
Public key for Retired Key 17 |
X.509 Certificate for Retired Key 17 |
X.509 Certificate for PIV Attestation 92 |
X.509 Certificate for Retired Key 17 |
93 |
Private key for Retired Key 18 |
Public key for Retired Key 18 |
X.509 Certificate for Retired Key 18 |
X.509 Certificate for PIV Attestation 93 |
X.509 Certificate for Retired Key 18 |
94 |
Private key for Retired Key 19 |
Public key for Retired Key 19 |
X.509 Certificate for Retired Key 19 |
X.509 Certificate for PIV Attestation 94 |
X.509 Certificate for Retired Key 19 |
95 |
Private key for Retired Key 20 |
Public key for Retired Key 20 |
X.509 Certificate for Retired Key 20 |
X.509 Certificate for PIV Attestation 95 |
X.509 Certificate for Retired Key 20 |
f9 |
Private key for PIV Attestation |
Public key for PIV Attestation |
X.509 Certificate for PIV Attestation |
X.509 Certificate for PIV Attestation f9 |
X.509 Certificate for PIV Attestation |