PKCS#11 Compliance

This section shows the compliance of Luna Software Development Kit HSM products to the PKCS#11 standard, with reference to particular versions of the standard. The text of the standard is not reproduced here.

Supported PKCS#11 Services

The table below identifies which PKCS#11 services this version of Luna Software Development Kit supports. The table following lists other features of PKCS#11 and identifies the compliance of this version of the Luna Software Development Kit to these features.

Table 1: PKCS#11 function support
Category Function Supported on Luna partitions Supported on Luna keyrings
General purpose functions C_Initialize Yes Yes
C_Finalize Yes Yes
C_GetInfo Yes Yes
C_GetFunctionList Yes Yes
Slot and token management functions C_GetSlotList Yes Yes
C_GetSlotInfo Yes Yes
C_GetTokenInfo Yes Yes
C_WaitForSlotEvent No No
C_GetMechanismList Yes Yes
C_GetMechanismInfo Yes Yes
C_InitToken Yes Yes
C_InitPIN Yes Yes
C_SetPIN Yes Yes
Session management functions C_OpenSession Yes Yes
C_CloseSession Yes Yes
C_CloseAllSessions Yes Yes
C_GetSessionInfo Yes Yes
C_GetOperationState Yes No
C_SetOperationState Yes No
C_Login Yes Yes
C_Logout Yes Yes
Object management functions C_CreateObject Yes Yes
C_CopyObject Yes No
C_DestroyObject Yes Yes
C_GetObjectSize Yes Yes
C_GetAttributeValue Yes Yes
C_SetAttributeValue Yes Yes
C_FindObjectsInit Yes Yes
C_FindObjects Yes Yes
C_FindObjectsFinal Yes Yes
Encryption functions C_EncryptInit Yes Yes
C_Encrypt Yes Yes
C_EncryptUpdate Yes Yes
C_EncryptFinal Yes Yes
Decryption functions C_DecryptInit Yes Yes
C_Decrypt Yes Yes
C_DecryptUpdate Yes Yes
C_DecryptFinal Yes Yes
Message digesting functions C_DigestInit Yes Yes
C_Digest Yes Yes
C_DigestUpdate Yes Yes
C_DigestKey Yes Yes
C_DigestFinal Yes Yes
Signing and MACing functions C_SignInit Yes Yes
C_Sign Yes Yes
C_SignUpdate Yes Yes
C_SignFinal Yes Yes
C_SignRecoverInit No No
C_SignRecover No No
Functions for verifying signatures and MACs C_VerifyInit Yes Yes
C_Verify Yes Yes
C_VerifyUpdate Yes Yes
C_VerifyFinal Yes Yes
C_VerifyRecoverInit No No
C_VerifyRecover No No
Dual-purpose cryptographic functions C_DigestEncryptUpdate No No
C_DecryptDigestUpdate No No
C_SignEncryptUpdate No No
C_DecryptVerifyUpdate No No
Key management functions C_GenerateKey Yes Yes
C_GenerateKeyPair Yes Yes
C_WrapKey Yes Yes
C_UnwrapKey* Yes Yes
C_DeriveKey Yes Yes
Random number generation functions C_SeedRandom Yes No
C_GenerateRandom Yes Yes
Parallel function management functions C_GetFunctionStatus No No
C_CancelFunction No No
Callback function   No No

*C_UnwrapKey has support for the CKA_Unwrap_Template object. All mechanisms which perform the unwrap function support an unwrap template. Nested templates are not supported.

Table 2: PKCS#11 feature support
Feature Supported?
Exclusive sessions Yes
Parallel sessions No

Key Check Values

The Luna HSM firmware calculates a checksum or key check value for each key object created by the HSM. This value or checksum length is fixed at 3 bytes, as defined by PKCS#11.

Additional Functions

Please note that certain additional functions have been implemented by Thales as extensions to the standard. These include aspects of object cloning, and are described in detail in Luna Extensions to PKCS#11.