Luna Extensions to PKCS#11

The following table provides a list of the Luna PKCS#11 C-API extensions.

Firmware Dependencies

Some functions are firmware-dependent, as indicated. Where there is a firmware dependency, the specified firmware version applies to all minor revisions of the firmware. In the following table, if no firmware version/series is mentioned, then the extension applies to all. If a firmware version is mentioned, then the extension applies to that firmware series, but not to others.

Other APIs

These commands and functions can also be used as extensions to other Application Programming Interfaces (for example, OpenSSL).

Cryptoki Version Supported

The current release of Luna Toolkit provides the Chrystoki library supporting version 2.20 of the Cryptoki standard.

Luna Extensions

Extension Description
CA_ActivateMofN Activates a token that has the secret sharing feature enabled.
CA_Bip32ExportPublicKey Retrieve public BIP32 key attributes and returned serialized format (base58 encoded).
CA_Bip32ImportPublicKey Import BIP32 serialized format (base58 encoded) and create BIP32 public key object.
CA_CapabilityUpdate Apply configuration update file as Security Officer only.
CA_CheckOperationState Checks if the specified cryptographic operation (encrypt, decrypt, sign, verify,digest) is in progress or not in the given session.
CA_CloneAsSource Refer to Luna HSM Cloning API CPv1 - Extensions to PKCS #11, Luna HSM Cloning API CPv3 - Extensions to PKCS #11, and Luna HSM Cloning API CPv4 Extensions to PKCS#11
CA_CloneAsTarget Refer to Luna HSM Cloning API CPv1 - Extensions to PKCS #11, Luna HSM Cloning API CPv3 - Extensions to PKCS #11, and Luna HSM Cloning API CPv4 Extensions to PKCS#11
CA_CloneAsTargetInit Refer to Luna HSM Cloning API CPv1 - Extensions to PKCS #11, Luna HSM Cloning API CPv3 - Extensions to PKCS #11, and Luna HSM Cloning API CPv4 Extensions to PKCS#11
CA_CloneObject Refer to Luna HSM Cloning API CPv1 - Extensions to PKCS #11, Luna HSM Cloning API CPv3 - Extensions to PKCS #11, and Luna HSM Cloning API CPv4 Extensions to PKCS#11
CA_ClonePrivateKey Permits the secure transfer a private key (RSA) between a source token and a target token.
CA_CloseApplicationID Deactivate an application identifier.
CA_CloseApplicationIDForContainer Deactivate an application identifier for a container.
CA_ConfigureRemotePED Configure the given slot to use the provided remote PED information (appliance slot only).
CA_CreateContainer Create a partition for non-PPSO users.
CA_CreateContainerLoginChallenge Create a challenge for a role on a partition.
CA_CreateLoginChallenge Create a login challenge for the specified user.
CA_Deactivate Deactivate a partition.
CA_DeleteContainer Delete a partition.
CA_DeleteContainerWithHandle Delete a partition.
CA_DeleteRemotePEDVector Delete the Remote PED vector.
CA_DeriveKeyAndWrap This is an optimization of C_DeriveKey with C_Wrap, merging the two functions into one (the in and out constraints are the same as for the individual functions). A further optimization is applied when mechanism CKM_ECDH1_DERIVE is used with CA_DeriveKeyAndWrap.
CA_DestroyMultipleObjects Delete multiple objects.
CA_DismantleRemotePED Inverse of CA_ConfigureRemotePED(). Delete remote PED configuration information.
CA_DuplicateMofN Create duplicates (copies) of all MofN secret splits.
CA_EncodeECChar2Params Encode EC curve parameters for user defined curves.
CA_EncodeECParamsFromFile Encode EC curve parameters for user defined curves.
CA_EncodeECPrimeParams Encode EC curve parameters for user defined curves.
CA_Extract Extract a SIM3 blob.
CA_FactoryReset Factory Reset the HSM.
CA_FindAdminSlotForSlot Get the Admin slot for the current slot.
CA_FirmwareRollback Rollback firmware.
CA_GenerateCloneableMofN Create a cloneable secret-splitting vector on a token.
CA_GenerateCloningKEV Refer to Luna HSM Cloning API CPv1 - Extensions to PKCS #11, Luna HSM Cloning API CPv3 - Extensions to PKCS #11, and Luna HSM Cloning API CPv4 Extensions to PKCS#11
CA_GenerateMofN Generate the secret information on a token.
CA_GenerateMofN_Common Refer to the M of N document.
CA_Get Get HSM parameters such as serial numbers, and certificates.
CA_GetApplicationID Get an application's accessID.
CA_GetConfigurationElementDescription Get capability / policy description and properties.
CA_GetContainerCapabilitySet Get all partition capability values.
CA_GetContainerCapabilitySetting Get a single partition capability value.
CA_GetContainerList Get the list of all partitions on a slot.
CA_GetContainerName Get the name of a specific partition.
CA_GetContainerPolicySet Get all partition policy values.
CA_GetContainerPolicySetting Get a single partition policy value.
CA_GetContainerStatus Get partition status, which returns authentication status flags.
CA_GetContainerStorageInformation Get partition storage information such as size, usage, and number of objects.
CA_GetCurrentHAState() Get HA status from the application perspective. Same functional behavior as CA_Get HAState, but uses parallel checks of members, avoids delays once a peer is found unreachable, and returns all member statuses within 3 seconds (*).
CA_GetCVFirmwareVersion Get the Cryptovisor HSM firmware version.
CA_GetDefaultHSMPolicyValue Get the default value of a single HSM policy.
CA_GetDefaultPartitionPolicyValue Get the default value of a single partition policy.
CA_GetFirmwareVersion Get the vendor-specific firmware version of the Luna HSM.
CA_GetHAState Get HA status from the application perspective.
CA_GetHSMCapabilitySet Get all HSM capability values.
CA_GetHSMCapabilitySetting Get a single HSM capability value.
CA_GetHSMPolicySet Get all HSM policy values.
CA_GetHSMPolicySetting Get a single HSM policy value.
CA_GetHSMStats Get HSM usage stats such as operational counters and how busy the HSM is.
CA_GetHSMStorageInformation Get HSM storage information such as storage and usage.
CA_GetMofNStatus Retrieve the MofN structure of the specified token.
CA_GetNumberOfAllowedContainers Get the number of allowed partitions depending on the partition license count.
CA_GetObjectHandle Get the object handle for a given OUID. Not available for Luna Cloud HSM services.
CA_GetObjectUID Get the OUID for a given object handle.
CA_GetPedId Get the PED ID.
CA_GetRemotePEDVectorStatus Get the status of the RPV, created or not.
CA_GetRollbackFirmwareVersion Get the available rollback version.
CA_GetServerInstanceBySlotID Get the instance # in the chrystoki.conf (crystoki.ini) file for the appliance/server the specified slot maps to.
CA_GetSessionInfo Gets the session info that includes vendor specific information such as authentication state and container handle.
CA_GetSlotIdForContainer Return a slot for a given container handle.
CA_GetSlotIdForPhysicalSlot Return a slot for a given physical slot.
CA_GetSlotListFromServerInstance Get the list of slots for the specified appliance/server instance #, as defined in the chrystoki.conf (crystoki.ini) file.
CA_GetTime Get the HSM time.
CA_GetTokenCapabilities Get the capabilities for the specified partition.
CA_GetTokenCertificateInfo Get the cloning certificate.
CA_GetTokenCertificates Get all HSM certificates. Token Wrapping Certificates are used for cloning. [ See * below table ]
CA_GetTokenInsertionCount Get the insertion or reset count of HSM in the given slot.
CA_GetTokenObjectHandle Retrieves a partition's handle, if there is a partition security officer. Not available for Luna Cloud HSM services. Same as CA_GetObjectHandle.
CA_GetTokenObjectUID Retrieves a partition's OUID, if there is a partition security office. Same as CA_GetObjectOUID.
CA_GetTokenPolicies Get partition policies.
CA_GetTokenStatus Get partition status.
CA_GetTokenStorageInformation Get partition storage information.
CA_GetTunnelSlotNumber Get the tunnel slot number for a given slot number.
CA_InitRolePIN Initialize a role on the current slot.
CA_InitSlotRolePIN Initialize a role on a different slot.
CA_InitToken Same as CA_Init_token with PPT support.
CA_Insert Insert a SIM3 blob.
CA_ListSecureTokenInit Retrieve information from an SFF backup token.
CA_ListSecureTokenUpdate Continue retrieving information from a backup SFF token.
CA_LogExportSecret Export (backup) the audit log HMAC key.
CA_LogExternal Log external message - pushes an application-provided message to the HSM and logs it via the audit log.
CA_LogGetConfig Get the audit log configuration.
CA_LogGetStatus Get the audit log status (audit role, logs needing export, HSM to PedClient communication status).
CA_LogImportSecret Restore the audit log HMAC key.
CA_LogSetConfig Modify the audit log configuration.
CA_LogVerify Verify the audit log record(s).
CA_LogVerifyFile Verify the audit log record file.
CA_ManualKCV Set the key cloning vector (KCV) (sets the domain).
CA_ModifyUsageCount Modify key usage count (Crypto Officer).
CA_OpenApplicationID Activate an application identifier, independent of any open sessions.
CA_OpenApplicationIDForContainer Same as CA_OpenApplicationID, but partition specific.
CA_OpenSession Same as C_OpenSession, but lets you specify partition.
CA_OpenSessionWithAppID Same as CA_OpenSession, but lets you specify an application ID (AppID)
CA_PerformSelfTest Invoke a self test on HSM (RNG statistics, Cryptographic Algorithms).
CA_QueryLicense Get License/CUF information.
CA_RandomizeApplicationID Set an application accessID to a random value.
CA_ResetDevice Reset the HSM .
CA_ResetPIN SO reset of a CO role PIN (if "SO can reset PIN" policy is on).
CA_Restart Clean up all sessions for a given slot.
CA_RestartForContainer Clean up all sessions for a given partition.
CA_RetrieveLicenseList Get a list of all Licenses/CUFs.
CA_RoleStateGet Get the state of a role (initialized, activated, failed logins, challenge created, etc).
CA_SetApplicationID Set the application's identifier.
CA_SetCloningDomain Set the domain string used during token initialization.
CA_SetContainerPolicies Set multiple partition policies.
CA_SetContainerPolicy Set single partition policy.
CA_SetContainerSize Set container storage size.
CA_SetKCV Set KCV (domain).
CA_SetLKCV Set a legacy KCV (legacy domain).
CA_SetMofN Set the security policy for the token to use the secret sharing feature.
CA_SetRDK Set the RDK (role specific KCV) for the current role.
CA_SetTokenPolicies Set partition policies for given slot (PPSO only)
CA_SetUserContainerName Set the name the library should use for the user partition on non-PPSO partitions.
CA_SIMMultiSign SIM2, SKS, firmware 4.x, firmware 6.x. Sign multiple data blobs with multiple keys provided as SIM2 blobs.
CA_SMKRollover Invoke once to move current SMK to RolloverSMK slot and create new PrimarySMK - allows insertion/decrypting of existing blobs with Rollover SMK and re-encryption/extraction with new Primary - then invoke again to end.
CA_SpRawRead PED key migration - read PED key value from DataKey PED Key.
CA_SpRawWrite PED key migration - store PED key value to iKey PED Key.
CA_STCClearCipherAlgorithm Remove the specified Cipher Algorithm from use with STC for the specified slot.
CA_STCClearDigestAlgorithm Remove the specified Digest Algorithm from use with STC for the specified slot.
CA_STCDeregister Remove STC registration of a client from the specified slot.
CA_STCGetAdminPubKey Get the public key for the Admin slot's STC identity RSA keypair.
CA_STCGetChannelID Get the Secure Trusted Channel ID for the current slot.
CA_STCGetCipherAlgorithm Get all the valid cipher suites allowed for the specified slot.
CA_STCGetCipherID Get the ID for the cipher currently in use on active STC to this slot.
CA_STCGetCipherIDs Get all cipher IDs valid for use with STC to the specified slot.
CA_STCGetCipherNameByID Get the readable name string for the specified Cipher ID.
CA_STCGetClientInfo Get the STC registration details (name, public key, active access) about the specified client on the specified slot.
CA_STCGetClientsList Get the list of all STC clients registered to the specified slot.
CA_STCGetCurrentKeyLife Get the remaining lifetime (in operations) for the active negotiated STC session key.
CA_STCGetDigestAlgorithm Get all the valid digest algorithms allowed for the specified slot.
CA_STCGetDigestID Get the ID for the digest currently in use on active STC to this slot.
CA_STCGetDigestIDs Get all digest IDs valid for use with STC to the specified slot.
CA_STCGetDigestNameByID Get the readable name string for the specified Digest ID.
CA_STCGetKeyActivationTimeOut Get the amount of time allowed between the initiation and completion of STC session negotiation.
CA_STCGetKeyLifeTime Get the configured session key lifetime (in operations) for the specified slot.
CA_STCGetPartPubKey Get the public key for the specified slot STC identity RSA keypair.
CA_STCGetPubKey Get the specified slot's public key.
CA_STCGetSequenceWindowSize Get the replay window size for the specified slot.
CA_STCGetState Get the STC state of the specified slot.
CA_STCIsEnabled Determine if STC is configured for the specified slot.
CA_STCRegister Register a client for STC to the specified slot.
CA_STCSetCipherAlgorithm Set a cipher algorithm as valid for use with STC on the specified slot.
CA_STCSetDigestAlgorithm Set a digest algorithm as valid for use with STC on the specified slot.
CA_STCSetKeyActivationTimeOut Set the amount of time allowed between the initiation and completion of STC session negotiations for the specified slot.
CA_STCSetKeyLifeTime Set how long a STC key can live before STC rekeying occurs.
CA_STCSetSequenceWindowSize Set the replay window size for the specified slot.
CA_STMGetState Get STM state (enabled or disabled).
CA_STMToggle Enter, or recover from, Secure Transport Mode.
CA_TamperClear Used by the SO to clear tamper status.
CA_TimeSync Synchronize the HSM time with the host time.
CA_TokenDelete SO can delete a partition (PPSO only).
CA_TokenZeroize Zeroize a PPSO partition.
CA_ValidateContainerPolicySet Validate partition policy settings prior to calling SetPolicies.
CA_ValidateHSMPolicySet Validate HSM policy settings prior to calling SetPolicies.
CA_WaitForSlotEvent For PCMCIA HSMs, extends C_WaitForSlotEvent and provides some history of events.
CA_Zeroize Zeroize the HSM.

(* The 3 seconds is expected to be achievable for an HA group up to 32 members and is verified in supportive conditions, meaning in laboratory-like conditions, when not affected by appliance CPU, memory, network, or HSM bottlenecks that are outside the control of the cryptographic module and its host. The CA_GetCurrentHaState() function, along with CKDemo option 49, is available starting at HSM Client version 10.7.0.)

Luna Keyring Extensions

The following custom PKCS#11 extensions apply to Luna keyrings only (see Cluster Extensions). Thales requires minimum Luna Appliance Software 7.8.5 with the lnh_cluster-1.0.4 package, Luna HSM Firmware 7.8.4, and HSM Client 10.7.2 to use clusters in production environments.

Extension Description
CA_GetSlotId Resolve the ID of the token(s) from the given label.
CA_GetUnassignedSlot Get the ID of the next unassigned token from the unordered list of created tokens in the system.
CA_LockClusteredSlot Lock the specified keyring.
CA_UnlockClusteredSlot Unlock the specified keyring. It might have been locked deliberately using CA_LockClusteredSlot or CA_GetUnassignedSlot.