Cryptographic Token Interface Standard
PKCS#11
Cryptographic Token Interface Standard Sections
Here is a list of all sections:
References
Definitions
Symbols and abbreviations
General overview
Design goals
General model
Logical view of a token
Users
Applications and their use of Cryptoki
Applications and processes
Applications and threads
Sessions
Read-only session states
Read/write session states
Permitted object accesses by sessions
Session events
Session handles and object handles
Capabilities of sessions
Example of use of sessions
Secondary authentication (Deprecated)
Function overview
Security considerations
Platform- and compiler-dependent directives for C or C++
Structure packing
Pointer-related macros
Sample platform- and compiler-dependent code
Win32
Win16
Generic UNIX
General data types
General information
Slot and token types
Session types
Object types
Data types for mechanisms
Function types
Locking-related types
Objects
Creating, modifying, and copying objects
Creating objects
Modifying objects
Copying objects
Common attributes
Hardware Feature Objects
Clock
Monotonic Counter Objects
User Interface Objects
Storage Objects
Data objects
Certificate objects
X.509 public key certificate objects
WTLS public key certificate objects
X.509 attribute certificate objects
Key objects
Public key objects
Private key objects
Secret key objects
Domain parameter objects
Mechanism objects
Functions
Function return values
Universal Cryptoki function return values
Cryptoki function return values for functions that use a session handle
Cryptoki function return values for functions that use a token
Special return value for application-supplied callbacks
Special return values for mutex-handling functions
All other Cryptoki function return values
More on relative priorities of Cryptoki errors
Error code 'gotchas'
Conventions for functions returning output in a variable-length buffer
Disclaimer concerning sample code
General-purpose functions
Slot and token management functions
Session management functions
Object management functions
Encryption functions
Decryption functions
Message digesting functions
Signing and MACing functions
Functions for verifying signatures and MACs
Dual-function cryptographic functions
Key management functions
Random number generation functions
Parallel function management functions
Callback functions
Surrender callbacks
Vendor-defined callbacks
Mechanisms 1
RSA
RSA public key objects
RSA private key objects
PKCS #1 RSA key pair generation
X9.31 RSA key pair generation
PKCS #1 v1.5 RSA
PKCS #1 RSA OAEP mechanism parameters
PKCS #1 RSA OAEP
PKCS #1 RSA PSS mechanism parameters
PKCS #1 RSA PSS
ISO/IEC 9796 RSA
X.509 (raw) RSA
ANSI X9.31 RSA
PKCS #1 v1.5 RSA signature with MD2, MD5, SHA-1, SHA-256, SHA-384, SHA-512, RIPE-MD 128 or RIPE-MD 160
PKCS #1 v1.5 RSA signature with SHA-224
PKCS #1 RSA PSS signature with SHA-224
PKCS #1 RSA PSS signature with SHA-1, SHA-256, SHA-384 or SHA-512
ANSI X9.31 RSA signature with SHA-1
TPM 1.1 PKCS #1 v1.5 RSA
TPM 1.1 PKCS #1 RSA OAEP
DSA
DSA public key objects
DSA private key objects
DSA domain parameter objects
DSA key pair generation
DSA domain parameter generation
DSA without hashing
DSA with SHA-1
Elliptic Curve
EC Signatures
ECDSA public key objects
Elliptic curve private key objects
Elliptic curve key pair generation
ECDSA without hashing
ECDSA with SHA-1
EC mechanism parameters
Elliptic curve Diffie-Hellman key derivation
Elliptic curve Diffie-Hellman with cofactor key derivation
Elliptic curve Menezes-Qu-Vanstone key derivation
Diffie-Hellman
Diffie-Hellman public key objects
X9.42 Diffie-Hellman public key objects
Diffie-Hellman private key objects
X9.42 Diffie-Hellman private key objects
Diffie-Hellman domain parameter objects
X9.42 Diffie-Hellman domain parameters objects
PKCS #3 Diffie-Hellman key pair generation
PKCS #3 Diffie-Hellman domain parameter generation
PKCS #3 Diffie-Hellman key derivation
X9.42 Diffie-Hellman mechanism parameters
X9.42 Diffie-Hellman key pair generation
X9.42 Diffie-Hellman domain parameter generation
X9.42 Diffie-Hellman key derivation
X9.42 Diffie-Hellman hybrid key derivation
X9.42 Diffie-Hellman Menezes-Qu-Vanstone key derivation
Wrapping/unwrapping private keys
Generic secret key
Generic secret key objects
Generic secret key generation
HMAC mechanisms
AES
AES secret key objects
AES key generation
AES-ECB
AES-CBC
AES-CBC with PKCS padding
AES-OFB
AES-CFB
General-length AES-MAC
AES-MAC
AES with Counter
AES with Counter mechanism parameters
AES with Counter Encryption / Decryption
AES CBC with Cipher Text Stealing CTS
AES CTS mechanism parameters
Additional AES Mechanisms
AES GCM and CCM Mechanism parameters
AES-GCM authenticated Encryption / Decryption
AES-CCM authenticated Encryption / Decryption
AES CMAC
Mechanism parameters
General-length AES-CMAC
AES-CMAC
AES Key Wrap
AES Key Wrap Mechanism parameters
AES Key Wrap
Key derivation by data encryption - DES & AES
Mechanism Parameters
Mechanism Description
Double and Triple-length DES
DES2 secret key objects
DES3 secret key objects
Double-length DES key generation
Triple-length DES Order of Operations
Triple-length DES in CBC Mode
DES and Triple length DES in OFB Mode
DES and Triple length DES in CFB Mode
Double and Triple-length DES CMAC
Mechanism parameters
General-length DES3-MAC
DES3-CMAC
SHA-1
SHA-1 digest
General-length SHA-1-HMAC
SHA-1-HMAC
SHA-1 key derivation
SHA-224
SHA-224 digest
General-length SHA-224-HMAC
SHA-224-HMAC
SHA-224 key derivation
SHA-256
SHA-256 digest
General-length SHA-256-HMAC
SHA-256-HMAC
SHA-256 key derivation
SHA-384
SHA-384 digest
General-length SHA-384-HMAC
SHA-384-HMAC
SHA-384 key derivation
SHA-512
SHA-512 digest
General-length SHA-512-HMAC
SHA-512-HMAC
SHA-512 key derivation
PKCS #5 and PKCS #5-style password-based encryption (PBE)
Password-based encryption/authentication mechanism parameters
PKCS #5 PBKDF2 key generation mechanism parameters
PKCS #5 PBKD2 key generation
PKCS #12 password-based encryption/authentication mechanisms
SHA-1-PBE for 3-key triple-DES-CBC
SHA-1-PBE for 2-key triple-DES-CBC
SHA-1-PBA for SHA-1-HMAC
SSL
SSL mechanism parameters
Pre_master key generation
Master key derivation
Master key derivation for Diffie-Hellman
Key and MAC derivation
MD5 MACing in SSL 3.0
SHA-1 MACing in SSL 3.0
TLS
TLS mechanism parameters
TLS PRF (pseudorandom function)
Pre_master key generation
Master key derivation
Master key derivation for Diffie-Hellman
Key and MAC derivation
WTLS
WTLS mechanism parameters
Pre master secret key generation for RSA key exchange suite
Master secret key derivation
Master secret key derivation for Diffie-Hellman and Elliptic Curve Cryptography
WTLS PRF (pseudorandom function)
Server Key and MAC derivation
Client key and MAC derivation
Miscellaneous simple key derivation mechanisms
Parameters for miscellaneous simple key derivation mechanisms
Concatenation of a base key and another key
Concatenation of a base key and data
Concatenation of data and a base key
XORing of a key and data
Extraction of one key from another key
CMS
CMS Signature Mechanism Objects
CMS mechanism parameters
CMS signatures
Blowfish
BLOWFISH secret key objects
Blowfish key generation
Blowfish -CBC
Blowfish -CBC with PKCS padding
Twofish
Twofish secret key objects
Twofish key generation
Twofish -CBC
Towfish -CBC with PKCS padding
CAMELLIA
Camellia secret key objects
Camellia key generation
Camellia-ECB
Camellia-CBC
Camellia-CBC with PKCS padding
General-length Camellia-MAC
Camellia-MAC
Key derivation by data encryption - Camellia
Mechanism Parameters
ARIA
Aria secret key objects
ARIA key generation
ARIA-ECB
ARIA-CBC
ARIA-CBC with PKCS padding
General-length ARIA-MAC
ARIA-MAC
Key derivation by data encryption - ARIA
Mechanism Parameters
SEED
SEED secret key objects
SEED key generation
SEED-ECB
SEED-CBC
SEED-CBC with PKCS padding
General-length SEED-MAC
SEED-MAC
Key derivation by data encryption - SEED
Mechanism Parameters
OTP
Usage overview
Case 1: Generation of OTP values
Case 2: Verification of provided OTP values
Case 3: Generation of OTP keys
OTP objects
OTP-related notifications
OTP mechanisms
RSA SecurID
RSA SecurID key generation
RSA SecurID OTP generation and validation
Return values
OATH HOTP
ActivIdentity ACTI
ACTI OTP generation and validation
CT-KIP
Principles of Operation
Mechanisms
CT-KIP Mechanism parameters
CT-KIP key derivation
CT-KIP key wrap and key unwrap
CT-KIP signature generation
GOST
GOST 28147-89
GOST 28147-89 secret key objects
GOST 28147-89 domain parameter objects
GOST 28147-89 key generation
GOST 28147-89-ECB
GOST 28147-89 encryption mode except ECB
GOST 28147-89-MAC
GOST R 34.11-94 domain parameter objects
GOST R 34.11-94 digest
GOST R 34.11-94 HMAC
GOST R 34.10-2001
GOST R 34.10-2001 public key objects
GOST R 34.10-2001 private key objects
GOST R 34.10-2001 domain parameter objects
GOST R 34.10-2001 mechanism parameters
GOST R 34.10-2001 key pair generation
GOST R 34.10-2001 without hashing
GOST R 34.10-2001 with GOST R 34.11-94
GOST 28147-89 keys wrapping/unwrapping with GOST R 34.10-2001
FORTEZZA timestamp
Mechanisms 2
KEA
KEA mechanism parameters
KEA public key objects
KEA private key objects
KEA key pair generation
KEA key derivation
RC2
RC2 secret key objects
RC2 mechanism parameters
RC2 key generation
RC2-ECB
RC2-CBC
RC2-CBC with PKCS padding
General-length RC2-MAC
RC2-MAC
RC4
RC4 secret key objects
RC4 key generation
RC4 mechanism
RC5
RC5 secret key objects
RC5 mechanism parameters
RC5 key generation
RC5-ECB
RC5-CBC
RC5-CBC with PKCS padding
General-length RC5-MAC
RC5-MAC
General block cipher
DES secret key objects
CAST secret key objects
CAST3 secret key objects
CAST128 (CAST5) secret key objects
IDEA secret key objects
CDMF secret key objects
General block cipher mechanism parameters
General block cipher key generation
General block cipher ECB
General block cipher CBC
General block cipher CBC with PKCS padding
General-length general block cipher MAC
General block cipher MAC
SKIPJACK
SKIPJACK secret key objects
SKIPJACK Mechanism parameters
SKIPJACK key generation
SKIPJACK-ECB64
SKIPJACK-CBC64
SKIPJACK-OFB64
SKIPJACK-CFB64
SKIPJACK-CFB32
SKIPJACK-CFB16
SKIPJACK-CFB8
SKIPJACK-WRAP
SKIPJACK-PRIVATE-WRAP
SKIPJACK-RELAYX
BATON
BATON secret key objects
BATON key generation
BATON-ECB128
BATON-ECB96
BATON-CBC128
BATON-COUNTER
BATON-SHUFFLE
BATON WRAP
JUNIPER
JUNIPER secret key objects
JUNIPER key generation
JUNIPER-ECB128
JUNIPER-CBC128
JUNIPER-COUNTER
JUNIPER-SHUFFLE
JUNIPER WRAP
MD2
MD2 digest
General-length MD2-HMAC
MD2-HMAC
MD2 key derivation
MD5
MD5 digest
General-length MD5-HMAC
MD5-HMAC
MD5 key derivation
FASTHASH
FASTHASH digest
PKCS #5 and PKCS #5-style password-based encryption (PBE)
Password-based encryption/authentication mechanism parameters
MD2-PBE for DES-CBC
MD5-PBE for DES-CBC
MD5-PBE for CAST-CBC
MD5-PBE for CAST3-CBC
MD5-PBE for CAST128-CBC (CAST5-CBC)
SHA-1-PBE for CAST128-CBC (CAST5-CBC)
PKCS #12 password-based encryption/authentication mechanisms
SHA-1-PBE for 128-bit RC4
SHA-1-PBE for 40-bit RC4
SHA-1-PBE for 128-bit RC2-CBC
SHA-1-PBE for 40-bit RC2-CBC
RIPE-MD
RIPE-MD 128 digest
General-length RIPE-MD 128-HMAC
RIPE-MD 128-HMAC
RIPE-MD 160
General-length RIPE-MD 160-HMAC
RIPE-MD 160-HMAC
SET
SET mechanism parameters
OAEP key wrapping for SET
LYNKS
LYNKS key wrapping
Cryptoki tips and reminders
Operations, sessions, and threads
Multiple Application Access Behavior
Objects, attributes, and templates
Signing with recovery
Manifest constants
Token profiles
Government authentication-only
Cellular Digital Packet Data
Other profiles
Comparison of Cryptoki and other APIs
FORTEZZA CIPG, Rev. 1.52
GCS-API
RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v230