Skip to main content

Specifications

PKCS#11 Version

LibraryPKCS#11 Version
lipprimusP11.so, primusP11.dll3.0

Supported Mechanisms

MechanismKey Size MinKey Size MaxFlags
CKM_RSA_PKCS10248192CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY | CKF_WRAP | CKF_UNWRAP
CKM_RSA_PKCS_KEY_PAIR_GEN10248192CKF_HW | CKF_GENERATE_KEY_PAIR
CKM_RSA_PKCS_OAEP10248192CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
CKM_RSA_PKCS_PSS10248192CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_RSA_X_50910248192CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY | CKF_WRAP | CKF_UNWRAP
CKM_MD5_RSA_PKCS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_RIPEMD160_RSA_PKCS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA1_RSA_PKCS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA1_RSA_PKCS_PSS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA224_RSA_PKCS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA224_RSA_PKCS_PSS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA256_RSA_PKCS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA256_RSA_PKCS_PSS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA384_RSA_PKCS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA384_RSA_PKCS_PSS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA512_RSA_PKCS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA512_RSA_PKCS_PSS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_224_RSA_PKCS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_224_RSA_PKCS_PSS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_256_RSA_PKCS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_256_RSA_PKCS_PSS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_384_RSA_PKCS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_384_RSA_PKCS_PSS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_512_RSA_PKCS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_512_RSA_PKCS_PSS10248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_KEY_PAIR_GEN10248192CKF_HW | CKF_GENERATE_KEY_PAIR
CKM_DSA_PARAMETER_GEN10243072CKF_HW | CKF_GENERATE
CKM_DSA_SHA110248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA22410248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA25610248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA38410248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA51210248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA3_22410248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA3_25610248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA3_38410248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DSA_SHA3_51210248192CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_EC_KEY_PAIR_GEN224521CKF_HW | CKF_GENERATE_KEY_PAIR | CKF_EC_F_P | CKF_EC_ECPARAMETERS | CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS | CKF_EC_COMPRESS
CKM_ECDSA224521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA1224521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA224224521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA256224521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA384224521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA512224521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA3_224224521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA3_256224521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA3_384224521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_ECDSA_SHA3_512224521CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_EC_EDWARDS_KEY_PAIR_GEN256448CKF_HW | CKF_GENERATE_KEY_PAIR
CKM_EDDSA256448CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DH_PKCS_KEY_PAIR_GEN10248192CKF_HW | CKF_GENERATE_KEY_PAIR
CKM_DH_PKCS_PARAMETER_GEN10241024CKF_HW | CKF_GENERATE
CKM_DH_PKCS_DERIVE10248192CKF_HW | CKF_DERIVE
CKM_X9_42_DH_KEY_PAIR_GEN10248192CKF_HW | CKF_GENERATE_KEY_PAIR
CKM_X9_42_DH_PARAMETER_GEN10243072CKF_HW | CKF_GENERATE
CKM_X9_42_DH_DERIVE10248192CKF_HW | CKF_DERIVE
CKM_ECDH1_DERIVE224521CKF_HW | CKF_DERIVE
CKM_AES_KEY_GEN 1632CKF_HW | CKF_GENERATE
CKM_AES_ECB1632CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
CKM_AES_CBC 1632CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
CKM_AES_CBC_PAD 1632CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
CKM_AES_GCM 1632CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT
CKM_AES_CTR 1632CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT
CKM_AES_MAC 1632CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_AES_CMAC 1632CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_AES_GMAC 1632CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_AES_KEY_WRAP 1632CKF_HW | CKF_WRAP | CKF_UNWRAP
CKM_AES_KEY_WRAP_PAD 1632CKF_HW | CKF_WRAP | CKF_UNWRAP
CKM_AES_ECB_ENCRYPT_DATA1632CKF_HW | CKF_DERIVE
CKM_AES_CBC_ENCRYPT_DATA1632CKF_HW | CKF_DERIVE
CKM_CAMELLIA_KEY_GEN 1632CKF_HW | CKF_GENERATE
CKM_CAMELLIA_ECB 1632CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT
CKM_CAMELLIA_CBC 1632CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT
CKM_CAMELLIA_CBC_PAD 1632CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT
CKM_CAMELLIA_MAC 1632CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DES2_KEY_GEN1616CKF_HW | CKF_GENERATE
CKM_DES3_KEY_GEN2424CKF_HW | CKF_GENERATE
CKM_DES3_ECB 1624CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
CKM_DES3_CBC 1624CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
CKM_DES3_CBC_PAD 1624CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
CKM_DES3_CMAC1624CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_DES3_ECB_ENCRYPT_DATA1624CKF_HW | CKF_DERIVE
CKM_DES3_CBC_ENCRYPT_DATA1624CKF_HW | CKF_DERIVE
CKM_MD500CKF_HW | CKF_DIGEST
CKM_RIPEMD16000CKF_HW | CKF_DIGEST
CKM_SHA_100CKF_HW | CKF_DIGEST
CKM_SHA22400CKF_HW | CKF_DIGEST
CKM_SHA25600CKF_HW | CKF_DIGEST
CKM_SHA38400CKF_HW | CKF_DIGEST
CKM_SHA51200CKF_HW | CKF_DIGEST
CKM_SHA3_22400CKF_HW | CKF_DIGEST
CKM_SHA3_25600CKF_HW | CKF_DIGEST
CKM_SHA3_38400CKF_HW | CKF_DIGEST
CKM_SHA3_51200CKF_HW | CKF_DIGEST
CKM_MD5_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_RIPEMD160_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA_1_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA224_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA256_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA384_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA512_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_224_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_256_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_384_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_SHA3_512_HMAC00CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_CHACHA203232CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT
CKM_CHACHA20_KEY_GEN3232CKF_HW | CKF_GENERATE
CKM_POLY13053232CKF_HW | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY | CKF_SIGN | CKF_VERIFY
CKM_POLY1305_KEY_GEN3232CKF_HW | CKF_GENERATE
CKM_CHACHA20_POLY13053232CKF_HW | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_ENCRYPT | CKF_DECRYPT
CKM_GENERIC_SECRET_KEY_GEN168192CKF_HW | CKF_GENERATE
CKM_KEY_SPLIT00CKF_HW | CKF_DERIVE
CKM_SHA1_KEY_DERIVATION00CKF_HW | CKF_DERIVE
CKM_SHA224_KEY_DERIVATION00CKF_HW | CKF_DERIVE
CKM_SHA256_KEY_DERIVATION00CKF_HW | CKF_DERIVE
CKM_SHA384_KEY_DERIVATION00CKF_HW | CKF_DERIVE
CKM_SHA512_KEY_DERIVATION00CKF_HW | CKF_DERIVE
CKM_SP800_108_COUNTER_KDF164096CKF_HW | CKF_DERIVE
CKM_SP800_108_FEEDBACK_KDF164096CKF_HW | CKF_DERIVE
CKM_SP800_108_DOUBLE_PIPELINE_KDF164096CKF_HW | CKF_DERIVE
CKM_PKCS5_PBKD200CKF_HW | CKF_GENERATE

Supported ECC Curves

OID nameOID hex-valueOID
secp224k1{0x06,0x05,0x2B,0x81,0x04,0x00,0x20}1.3.132.0.32
secp224r1{0x06,0x05,0x2B,0x81,0x04,0x00,0x21}1.3.132.0.33
secp256k1{0x06,0x05,0x2B,0x81,0x04,0x00,0x0A}1.3.132.0.10
secp256r1, prime256v1, NIST P-256{0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07}1.2.840.10045.3.1.7
secp384r1, NIST P-384{0x06,0x05,0x2B,0x81,0x04,0x00,0x22}1.3.132.0.34
secp521r1, NIST P-521{0x06,0x05,0x2B,0x81,0x04,0x00,0x23}1.3.132.0.35
x962_p239v1{0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x04}1.2.840.10045.3.1.4
x962_p239v2{0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x05}1.2.840.10045.3.1.5
x962_p239v3{0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x06}1.2.840.10045.3.1.6
brainpool224r1{0x06,0x09,0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x05}1.3.36.3.3.2.8.1.1.5
brainpool256r1{0x06,0x09,0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07}1.3.36.3.3.2.8.1.1.7
brainpool320r1{0x06,0x09,0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x09}1.3.36.3.3.2.8.1.1.9
brainpool384r1{0x06,0x09,0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0b}1.3.36.3.3.2.8.1.1.11
brainpool512r1{0x06,0x09,0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0d}1.3.36.3.3.2.8.1.1.13
frp256v1{0x06,0x0A,0x2A,0x81,0x7A,0x01,0x81,0x5F,0x65,0x82,0x00,0x01}1.2.250.1.223.101.256.1

EC Edwards Parameters

OID nameOID hex-valueOID
Ed25519/SHA2{0x06,0x03,0x2B,0x65,0x70}1.3.101.112
Ed448{0x06,0x03,0x2B,0x65,0x71}1.3.101.113
Curve25519{0x06,0x03,0x2B,0x65,0x6E}1.3.101.110
Curve 448{0x06,0x03,0x2B,0x65,0x6F}1.3.101.111
Ed25519/SHA3{0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0xDC,0x7C,0x05,0x02,0x01}1.3.6.1.4.1.44668.5.2.1

Firmware Requirements

The following table shows HSM firmware requirements for some mechanisms and features:

Firmwarerequired for Feature or Mechanism
latest v2.7AES Wrap (CBC/ECB), DSA/DH/DHx942 (export PRIME, SUBPRIME, BASE), Log Export, CKA_NEVER_EXTRACTABLE, CKA_ALWAYS_SENSITIVE, CKA_LOCAL, CKA_TRUSTED, CKA_WRAP_WITH_TRUSTED, CKA_VERIFY_RECOVER, CKA_SIGN_RECOVER, retrieve CKA_EC_PARAMS the same way as sent to HSM, CKM_KEY_SPLIT
latest v2.8Session objects, Ed25519, ChaCha/Poly, C_CopyObject
latest v2.9DES2, DES2/3-Keywrap
latest v3.1Ed448, Curve448, CK_EDDSA_PARAMS
latest v3.2CKM_DES3/AES_ECB/CBC_ENCRYPT_DATA

Object Label Handling

For details on object labels and identifiers, see this page.

Key Usage Flags

CKA_SIGN, CKA_VERIFY, CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP, CKA_DERIVE default to CK_FALSE, except if none are specified (then HSM defaults applied).

Primus PKCS#11 provider versions < v2.1.3 default the above key usage flags to CK_TRUE. However, some applications provide only command options to enable specific key usage but not to disable it, resulting in too many key usage flags set when creating a key.

Get started withCloudHSM for free.
Other questions?Ask Sales.
Feedback
Need help?