Skip to main content

Specifications

PKCS#11 Version

LibraryPKCS#11 Version
lipprimusP11.so, primusP11.dll3.0

Supported Mechanisms

MechanismKey Size MinKey Size MaxFlags
CKM_RSA_PKCS1024 8192CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY | CKF_WRAP | CKF_UNWRAP
CKM_RSA_PKCS_KEY_PAIR_GEN1024 8192CKF_HW | CKF_GENERATE_KEY_PAIR
CKM_RSA_PKCS_OAEP1024 8192CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
CKM_RSA_PKCS_PSS1024 8192CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_RSA_X_5091024 8192CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY | CKF_WRAP | CKF_UNWRAP
CKM_MD5_RSA_PKCS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_RIPEMD160_RSA_PKCS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA1_RSA_PKCS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA1_RSA_PKCS_PSS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA224_RSA_PKCS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA224_RSA_PKCS_PSS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA256_RSA_PKCS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA256_RSA_PKCS_PSS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA384_RSA_PKCS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA384_RSA_PKCS_PSS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA512_RSA_PKCS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA512_RSA_PKCS_PSS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_224_RSA_PKCS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_224_RSA_PKCS_PSS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_256_RSA_PKCS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_256_RSA_PKCS_PSS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_384_RSA_PKCS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_384_RSA_PKCS_PSS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_512_RSA_PKCS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_512_RSA_PKCS_PSS1024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_KEY_PAIR_GEN1024 8192CKF_HW | CKF_GENERATE_KEY_PAIR
CKM_DSA_PARAMETER_GEN10243072CKF_HW | CKF_GENERATE
CKM_DSA_SHA11024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA2241024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA2561024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA3841024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA5121024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA3_2241024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA3_2561024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA3_3841024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA3_5121024 8192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_EC_KEY_PAIR_GEN224 521CKF_HW | CKF_GENERATE_KEY_PAIR | CKF_EC_F_P | CKF_EC_ECPARAMETERS | CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS | CKF_EC_COMPRESS
CKM_ECDSA224 521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA1224 521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA224224 521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA256224 521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA384224 521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA512224 521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA3_224224 521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA3_256224 521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA3_384224 521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA3_512224 521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_EC_EDWARDS_KEY_PAIR_GEN256448CKF_HW | CKF_GENERATE_KEY_PAIR
CKM_EDDSA256448CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DH_PKCS_KEY_PAIR_GEN1024 8192CKF_HW | CKF_GENERATE_KEY_PAIR
CKM_DH_PKCS_PARAMETER_GEN1024 1024CKF_HW | CKF_GENERATE
CKM_DH_PKCS_DERIVE 1024 8192CKF_HW | CKF_DERIVE
CKM_X9_42_DH_KEY_PAIR_GEN 1024 8192CKF_HW | CKF_GENERATE_KEY_PAIR
CKM_X9_42_DH_PARAMETER_GEN 1024 3072CKF_HW | CKF_GENERATE
CKM_X9_42_DH_DERIVE 1024 8192CKF_HW | CKF_DERIVE
CKM_ECDH1_DERIVE 224 521CKF_HW | CKF_DERIVE
CKM_AES_KEY_GEN 16 32CKF_HW | CKF_GENERATE
CKM_AES_ECB1632CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
CKM_AES_CBC 16 32CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
CKM_AES_CBC_PAD 16 32CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
CKM_AES_GCM 16 32CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT
CKM_AES_CTR 16 32CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT
CKM_AES_MAC 16 32CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_AES_CMAC 16 32CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_AES_GMAC 16 32CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_AES_KEY_WRAP 16 32CKF_HW | CKF_WRAP | CKF_UNWRAP
CKM_AES_KEY_WRAP_PAD 16 32CKF_HW | CKF_WRAP | CKF_UNWRAP
CKM_CAMELLIA_KEY_GEN 16 32CKF_HW | CKF_GENERATE
CKM_CAMELLIA_ECB 16 32CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT
CKM_CAMELLIA_CBC 16 32CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT
CKM_CAMELLIA_CBC_PAD 16 32CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT
CKM_CAMELLIA_MAC 16 32CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DES2_KEY_GEN1616CKF_HW | CKF_GENERATE
CKM_DES3_KEY_GEN 24 24CKF_HW | CKF_GENERATE
CKM_DES3_ECB 16 24CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
CKM_DES3_CBC 16 24CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
CKM_DES3_CBC_PAD 16 24CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
CKM_DES3_CMAC1624CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_MD5 0 0CKF_HW | CKF_DIGEST
CKM_RIPEMD16000CKF_HW | CKF_DIGEST
CKM_SHA_1 0 0CKF_HW | CKF_DIGEST
CKM_SHA224 0 0CKF_HW | CKF_DIGEST
CKM_SHA256 0 0CKF_HW | CKF_DIGEST
CKM_SHA384 0 0CKF_HW | CKF_DIGEST
CKM_SHA512 0 0CKF_HW | CKF_DIGEST
CKM_SHA3_22400CKF_HW | CKF_DIGEST
CKM_SHA3_25600CKF_HW | CKF_DIGEST
CKM_SHA3_38400CKF_HW | CKF_DIGEST
CKM_SHA3_51200CKF_HW | CKF_DIGEST
CKM_MD5_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFYs | CKF_SIGN | CKF_VERIFY
CKM_RIPEMD160_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA_1_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA224_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA256_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA384_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA512_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_224_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_256_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_384_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_512_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_CHACHA203232CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT
CKM_CHACHA20_KEY_GEN3232CKF_HW | CKF_GENERATE
CKM_POLY13053232CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_POLY1305_KEY_GEN3232CKF_HW | CKF_GENERATE
CKM_CHACHA20_POLY13053232CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT
CKM_GENERIC_SECRET_KEY_GEN168192CKF_HW | CKF_GENERATE
CKM_KEY_SPLIT00CKF_HW | CKF_DERIVE
CKM_SHA1_KEY_DERIVATION00CKF_HW | CKF_DERIVE
CKM_SHA224_KEY_DERIVATION00CKF_HW | CKF_DERIVE
CKM_SHA256_KEY_DERIVATION00CKF_HW | CKF_DERIVE
CKM_SHA384_KEY_DERIVATION00CKF_HW | CKF_DERIVE
CKM_SHA512_KEY_DERIVATION00CKF_HW | CKF_DERIVE

Supported ECC Curves

OID nameOID hex-valueOID
secp224k1{0x06,0x05,0x2B,0x81,0x04,0x00,0x20}1.3.132.0.32
secp224r1{0x06,0x05,0x2B,0x81,0x04,0x00,0x21}1.3.132.0.33
secp256k1{0x06,0x05,0x2B,0x81,0x04,0x00,0x0A}1.3.132.0.10
secp256r1, prime256v1, NIST P-256{0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07}1.2.840.10045.3.1.7
secp384r1, NIST P-384{0x06,0x05,0x2B,0x81,0x04,0x00,0x22}1.3.132.0.34
secp521r1, NIST P-521{0x06,0x05,0x2B,0x81,0x04,0x00,0x23}1.3.132.0.35
x962_p239v1{0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x04}1.2.840.10045.3.1.4
x962_p239v2{0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x05}1.2.840.10045.3.1.5
x962_p239v3{0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x06}1.2.840.10045.3.1.6
brainpool224r1{0x06,0x09,0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x05}1.3.36.3.3.2.8.1.1.5
brainpool256r1{0x06,0x09,0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07}1.3.36.3.3.2.8.1.1.7
brainpool320r1{0x06,0x09,0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x09}1.3.36.3.3.2.8.1.1.9
brainpool384r1{0x06,0x09,0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0b}1.3.36.3.3.2.8.1.1.11
brainpool512r1{0x06,0x09,0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0d}1.3.36.3.3.2.8.1.1.13
frp256v1{0x06,0x0A,0x2A,0x81,0x7A,0x01,0x81,0x5F,0x65,0x82,0x00,0x01}1.2.250.1.223.101.256.1

EC Edwards Parameters

OID nameOID hex-valueOID
Ed25519/SHA2{0x06,0x03,0x2B,0x65,0x70}1.3.101.112
Ed448{0x06,0x03,0x2B,0x65,0x71}1.3.101.113
Curve25519{0x06,0x03,0x2B,0x65,0x6E}1.3.101.110
Curve 448{0x06,0x03,0x2B,0x65,0x6F}1.3.101.111
Ed25519/SHA3{0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0xDC,0x7C,0x05,0x02,0x01}1.3.6.1.4.1.44668.5.2.1

Firmware Requirements

The following table shows HSM firmware requirements for some mechanisms and features:

Firmwarerequired for Feature or Mechanism
latest v2.7AES Wrap (CBC/ECB), DSA/DH/DHx942 (export PRIME, SUBPRIME, BASE), Log Export, CKA_NEVER_EXTRACTABLE, CKA_ALWAYS_SENSITIVE, CKA_LOCAL, CKA_TRUSTED, CKA_WRAP_WITH_TRUSTED, CKA_VERIFY_RECOVER, CKA_SIGN_RECOVER, retrieve CKA_EC_PARAMS the same way as sent to HSM, CKM_KEY_SPLIT
latest v2.8Session objects, Ed25519, ChaCha/Poly, C_CopyObject
latest v2.9DES2, DES2/3-Keywrap
latest v3.1Ed448, Curve448, CK_EDDSA_PARAMS

Object Label Handling

The provider removes NUL-termination (\0) of labels before writing to the HSM (not permitted).

Creating multiple objects using the same object label, the provider will automatically add or remove an HSM internal label differentiator ("label"@?!<uid>) as the HSM does not directly support duplicate labels. These label markers are visible when using an older or other provider (e.g. JCE).

Key Usage Flags

CKA_SIGN, CKA_VERIFY, CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP, CKA_DERIVE default to CK_FALSE, except if none are specified (then HSM defaults applied).

Primus PKCS#11 provider versions < v2.1.3 default the above key usage flags to CK_TRUE. However some applications provide only command options to enable specific key usage but not to disable it, resulting in too many key usage flags set when creating a key.