SafeNet Luna Extensions to PKCS#11
The following table provides a list of the SafeNet Luna PKCS#11 C-API extensions.
Firmware Dependencies
Some functions are firmware-dependent, as indicated. Where there is a firmware dependency, the specified firmware version applies to all minor revisions of the firmware. In the following table, if no firmware version/series is mentioned, then the extension applies to all. If a firmware version is mentioned, then the extension applies to that firmware series, but not to others. A function that applies to Firmware 4 (example: CA_CloneModifyMofN) works with firmware versions 4.xx.xx, but not with firmware 6.xx.xx nor firmware 7.xx.xx.
Other APIs
These commands and functions can also be used as extensions to other Application Programming Interfaces (for example, OpenSSL).
Cryptoki Version Supported
The current release of SafeNet SafeNet Toolkit provides the Chrystoki library supporting version 2.20 of the Cryptoki standard.
Extension | Description |
---|---|
CA_ActivateMofN | Activates a token that has the secret sharing feature enabled. |
CA_CapabilityUpdate | Apply configuration update file as Security Officer only. |
CA_CheckOperationState | Checks if the specified cryptographic operation (encrypt, decrypt, sign, verify,digest) is in progress or not in the given session. |
CA_CloneAsSource | Refer to the SafeNet Luna Cloning Functions Technical Note, available from Technical Support. |
CA_CloneAsTarget | Refer to the SafeNet Luna Cloning Functions Technical Note, available from Technical Support. |
CA_CloneAsTargetInit | Refer to the SafeNet Luna Cloning Functions Technical Note, available from Technical Support. |
CA_CloneModifyMofN | Firmware 4. Cloning of M of N. |
CA_CloneMofN | Firmware 4 cloning of M of N. Copy a cloneable secret-splitting vector from one token to another. |
CA_CloneMofN_Common | Firmware 4 cloning of M of N. |
CA_CloneObject | Refer to the SafeNet Luna Cloning Functions Technical Note, available from Technical Support. |
CA_ClonePrivateKey | Permits the secure transfer a private key (RSA) between a source token and a target token. |
CA_CloseApplicationID | Deactivate an application identifier. |
CA_CloseApplicationIDForContainer | Deactivate an application identifier for a container. |
CA_CloseSecureToken | Firmware 6. Close context for an SFF token. |
CA_ConfigureRemotePED | Configure the given slot to use the provided remote PED information (appliance slot only). |
CA_CreateContainer | Create a partition for non-PPSO users. |
CA_CreateContainerLoginChallenge | Create a challenge for a role on a partition. |
CA_CreateContainerWithPolicy | Firmware 6. Create a partition with per-partition template data. |
CA_CreateLoginChallenge | Create a login challenge for the specified user. |
CA_Deactivate | Deactivate a partition. |
CA_DeactivateMofN | Firmware 4. Deactivate M of N. |
CA_DeleteContainer | Delete a partition. |
CA_DeleteContainerWithHandle | Delete a partition. |
CA_DeleteRemotePEDVector | Delete the Remote PED vector. |
CA_DeriveKeyAndWrap | This is an optimization of C_DeriveKey with C_Wrap, merging the two functions into one (the in and out constraints are the same as for the individual functions). A further optimization is applied when mechanism CKM_ECDH1_DERIVE is used with CA_DeriveKeyAndWrap. |
CA_DestroyMultipleObjects | Delete multiple objects. |
CA_DismantleRemotePED | Inverse of CA_ConfigureRemotePED(). Delete remote PED configuration information. |
CA_DuplicateMofN | Create duplicates (copies) of all MofN secret splits. |
CA_EncodeECChar2Params | Encode EC curve parameters for user defined curves. |
CA_EncodeECParamsFromFile | Encode EC curve parameters for user defined curves. |
CA_EncodeECPrimeParams | Encode EC curve parameters for user defined curves. |
CA_Extract | Extract a SIM3 blob. |
CA_FactoryReset | Factory Reset the HSM. |
CA_FindAdminSlotForSlot | Get the Admin slot for the current slot. |
CA_FirmwareRollback | Rollback firmware. |
CA_FirmwareUpdate | Firmware 4. Firmware update for Firmware 4 (only used in Luna SA 4.x). |
CA_GenerateCloneableMofN | Create a cloneable secret-splitting vector on a token. |
CA_GenerateCloningKEV | Refer to the SafeNet Luna Cloning Functions Technical Note, available from Technical Support. |
CA_GenerateMofN | Generate the secret information on a token. |
CA_GenerateMofN_Common | Refer to the M of N document. |
CA_Get | Get HSM parameters such as serial numbers, and certificates. |
CA_GetConfigurationElementDescription | Get capability / policy description and properties. |
CA_GetContainerCapabilitySet | Get all partition capability values. |
CA_GetContainerCapabilitySetting | Get a single partition capability value. |
CA_GetContainerList | Get the list of all partitions on a slot. |
CA_GetContainerName | Get the name of a specific partition. |
CA_GetContainerPolicySet | Get all partition policy values. |
CA_GetContainerPolicySetting | Get a single partition policy value. |
CA_GetContainerStatus | Get partition status, which returns authentication status flags. |
CA_GetContainerStorageInformation | Get partition storage information such as size, usage, and number of objects. |
CA_GetDefaultHSMPolicyValue | Get the default value of a single HSM policy. |
CA_GetDefaultPartitionPolicyValue | Get the default value of a single partition policy. |
CA_GetFirmwareVersion | Get the vendor-specific firmware version of the SafeNet Luna HSM. |
CA_GetHAState | Get HA status from the application perspective. |
CA_GetHSMCapabilitySet | Get all HSM capability values. |
CA_GetHSMCapabilitySetting | Get a single HSM capability value. |
CA_GetHSMPolicySet | Get all HSM policy values. |
CA_GetHSMPolicySetting | Get a single HSM policy value. |
CA_GetHSMStats | Get HSM usage stats such as operational counters and how busy the HSM is. |
CA_GetHSMStorageInformation | Get HSM storage information such as storage and usage. |
CA_GetMofNStatus | Retrieve the MofN structure of the specified token. |
CA_GetNumberOfAllowedContainers | Get the number of allowed partitions depending on the partition license count. |
CA_GetObjectHandle | Get the object handle for a given OUID. |
CA_GetObjectUID | Get the OUID for a given object handle. |
CA_GetPartitionPolicyTemplate | Firmware 6. Gets default partition policy template data from HSM. |
CA_GetPedId | Get the PED ID. |
CA_GetRemotePEDVectorStatus | Get the status of the RPV, created or not. |
CA_GetRollbackFirmwareVersion | Get the available rollback version. |
CA_GetSecureElementMeta | Get META data for objects on an SFF backup token. |
CA_GetServerInstanceBySlotID | Get the instance # in the chrystoki.conf (crystoki.ini) file for the appliance/server the specified slot maps to. |
CA_GetSessionInfo | Gets the session info that includes vendor specific information such as authentication state and container handle. |
CA_GetSlotIdForContainer | Return a slot for a given container handle. |
CA_GetSlotIdForPhysicalSlot | Return a slot for a given physical slot. |
CA_GetSlotListFromServerInstance | Get the list of slots for the specified appliance/server instance #, as defined in the chrystoki.conf (crystoki.ini) file. |
CA_GetTime | Get the HSM time. |
CA_GetTokenCapabilities | Get the capabilities for the specified partition. |
CA_GetTokenCertificateInfo | Get the cloning certificate. |
CA_GetTokenCertificates | Get all HSM certifcates. |
CA_GetTokenInsertionCount | Get the insertion or reset count of HSM in the given slot. |
CA_GetTokenObjectHandle | Firmware 6.22.0 or higher. Same as CA_GetObjectHandle for partitions with a partition security officer. |
CA_GetTokenObjectUID | Firmware 6.22.0 or higher. Same as CA_GetObjectOUID for partitions with a partition security officer. |
CA_GetTokenPolicies | Get partition policies. |
CA_GetTokenStatus | Get partition status. |
CA_GetTokenStorageInformation | Get partition storage information. |
CA_GetTunnelSlotNumber | Get the tunnel slot number for a given slot number. |
CA_HAActivateMofN | See High Availability Indirect Login Functions. |
CA_HAAnswerLoginChallenge | See High Availability Indirect Login Functions. |
CA_HAAnswerMofNChallenge | See High Availability Indirect Login Functions. |
CA_HAGetLoginChallenge | See High Availability Indirect Login Functions. |
CA_HAGetMasterPublic | See High Availability Indirect Login Functions. |
CA_HAInit | See High Availability Indirect Login Functions. |
CA_HALogin | See High Availability Indirect Login Functions. |
CA_InitAudit | Initialize the Auditor role. |
CA_InitializeRemotePEDVector | Create the Remote PED Vector. |
CA_InitRolePIN | Initialize a role on the current slot. |
CA_InitSlotRolePIN | Initialize a role on a different slot. |
CA_InitToken | Same as CA_Init_token with PPT support. |
CA_Insert | Insert a SIM3 blob. |
CA_IsMofNEnabled | Firmware 4. Queries M of N status. |
CA_IsMofNRequired | Firmware 4. Queries M of N status. |
CA_ListSecureTokenInit | Retrieve information from an SFF backup token. |
CA_ListSecureTokenUpdate | Continue retrieving information from a backup SFF token. |
CA_LogExportSecret | Export (backup) the audit log HMAC key. |
CA_LogExternal | Log external message - pushes an application-provided message to the HSM and logs it via the audit log. |
CA_LogGetConfig | Get the audit log configuration. |
CA_LogGetStatus | Get the audit log status (audit role, logs needing export, HSM to PedClient communication status). |
CA_LogImportSecret | Restore the audit log HMAC key. |
CA_LogSetConfig | Modify the audit log configuration. |
CA_LogVerify | Verify the audit log record(s). |
CA_LogVerifyFile | Verify the audit log record file. |
CA_ManualKCV | Set the key cloning vector (KCV) (sets the domain). |
CA_ModifyMofN | Modify the secret-splitting vector on a token. |
CA_ModifyUsageCount | Modify key usage count (Crypto Officer). |
CA_MTKGetState | Firmware 6. Get the master tamper key (MTK) state (tampered or not). |
CA_MTKResplit | Generate new MTK split, new purple key value. |
CA_MTKRestore | Return MTK, provide purple key to recover from tamper. |
CA_MTKSetStorage | Create purple key, enables STM/SRK. |
CA_MTKZeroize | Erase the MTK, user invoked tamper. Puts HSM in to transport mode. |
CA_OpenApplicationID | Activate an application identifier, independent of any open sessions. |
CA_OpenApplicationIDForContainer | Same as CA_OpenApplicationID, but partition specific. |
CA_OpenSecureToken | Firmware 6. Open context for an SFF token. |
CA_OpenSession | Same as C_OpenSession, but lets you specify partition. |
CA_OpenSessionWithAppID | Same as CA_OpenSession, but lets you specify an application ID (AppID) |
CA_PerformSelfTest | Invoke a self test on HSM (RNG statistics, Cryptographic Algorithms). |
CA_QueryLicense | Get License/CUF information. |
CA_ResetDevice | Reset the HSM . |
CA_ResetPIN | SO reset of a CO role PIN (if "SO can reset PIN" policy is on). |
CA_Restart | Clean up all sessions for a given slot. |
CA_RestartForContainer | Clean up all sessions for a given partition. |
CA_RetrieveLicenseList | Get a list of all Licenses/CUFs. |
CA_RoleStateGet | Get the state of a role (initialized, activated, failed logins, challenge created, etc). |
CA_SetApplicationID | Set the application's identifier. |
CA_SetCloningDomain | Set the domain string used during token initialization. |
CA_SetContainerPolicies | Set multiple partition policies. |
CA_SetContainerPolicy | Set single partition policy. |
CA_SetContainerSize | Set container storage size. |
CA_SetDestructiveHSMPolicies | Set multiple destructive HSM policies. |
CA_SetDestructiveHSMPolicy | Set single destructive HSM policy. |
CA_SetHSMPolicies | Set multiple HSM policies. |
CA_SetHSMPolicy | Set single HSM policy. |
CA_SetKCV | Set KCV (domain). |
CA_SetLKCV | Set a legacy KCV (legacy domain). |
CA_SetMofN | Set the security policy for the token to use the secret sharing feature. |
CA_SetPedId |
Set the PED ID for a specific slot. |
CA_SetRDK | Set the RDK (role specific KCV) for the current role. |
CA_SetTokenPolicies | Set partition policies for given slot (PPSO only) |
CA_SetUserContainerName | Set the name the library should use for the user partition on non-PPSO partitions. |
CA_SIMExtract | SIM2, SKS, firmware 4.x, firmware 6.x. Extract SIM2 blob. |
CA_SIMInsert | SIM2, SKS, firmware 4.x, firmware 6.x. Insert SIM2 blob. |
CA_SIMMultiSign | SIM2, SKS, firmware 4.x, firmware 6.x. Sign multiple data blobs with multiple keys provided as SIM2 blobs. |
CA_SpRawRead | PED key migration - read PED key value from DataKey PED Key. |
CA_SpRawWrite | PED key migration - store PED key value to iKey PED Key. |
CA_STCClearCipherAlgorithm | Remove the specified Cipher Algorithm from use with STC for the specified slot. |
CA_STCClearDigestAlgorithm | Remove the specified Digest Algorithm from use with STC for the specified slot. |
CA_STCDeregister | Remove STC registration of a client from the specified slot. |
CA_STCGetAdminPubKey | Get the public key for the Admin slot's STC identity RSA keypair. |
CA_STCGetChannelID | Get the Secure Trusted Channel ID for the current slot. |
CA_STCGetCipherAlgorithm | Get all the valid cipher suites allowed for the specified slot. |
CA_STCGetCipherID | Get the ID for the cipher currently in use on active STC to this slot. |
CA_STCGetCipherIDs | Get all cipher IDs valid for use with STC to the specified slot. |
CA_STCGetCipherNameByID | Get the readable name string for the specified Cipher ID. |
CA_STCGetClientInfo | Get the STC registration details (name, public key, active access) about the specified client on the specified slot. |
CA_STCGetClientsList | Get the list of all STC clients registered to the specified slot. |
CA_STCGetCurrentKeyLife | Get the remaining lifetime (in operations) for the active negotiated STC session key. |
CA_STCGetDigestAlgorithm | Get all the valid digest algorithms allowed for the specified slot. |
CA_STCGetDigestID | Get the ID for the digest currently in use on active STC to this slot. |
CA_STCGetDigestIDs | Get all digest IDs valid for use with STC to the specified slot. |
CA_STCGetDigestNameByID | Get the readable name string for the specified Digest ID. |
CA_STCGetKeyActivationTimeOut | Get the amount of time allowed between the initiation and completion of STC session negotiation. |
CA_STCGetKeyLifeTime | Get the configured session key lifetime (in operations) for the specified slot. |
CA_STCGetPartPubKey | Get the public key for the specified slot STC identity RSA keypair. |
CA_STCGetPubKey | Get the specified slot's public key. |
CA_STCGetSequenceWindowSize | Get the replay window size for the specified slot. |
CA_STCGetState | Get the STC state of the specified slot. |
CA_STCIsEnabled | Determine if STC is configured for the specified slot. |
CA_STCRegister | Register a client for STC to the specified slot. |
CA_STCSetCipherAlgorithm | Set a cipher algorithm as valid for use with STC on the specified slot. |
CA_STCSetDigestAlgorithm | Set a digest algorithm as valid for use with STC on the specified slot. |
CA_STCSetKeyActivationTimeOut | Set the amount of time allowed between the initiation and completion of STC session negotiations for the specified slot. |
CA_STCSetKeyLifeTime | Set how long a STC key can live before STC rekeying occurs. |
CA_STCSetSequenceWindowSize | Set the replay window size for the specified slot. |
CA_STMGetState | Firmware 7. Get STM state (enabled or disabled). |
CA_STMToggle | Enter, or recover from, Secure Transport Mode. |
CA_TamperClear | Firmware 7. Used by the SO to clear tamper status. |
CA_TimeSync | Synchronize the HSM time with the host time. |
CA_TokenDelete | SO can delete a partition (PPSO only). |
CA_TokenZeroize | Zeroize a PPSO partition. |
CA_ValidateContainerPolicySet | Firmware 7. Validate partition policy settings prior to calling SetPolicies. |
CA_ValidateHSMPolicySet | Firmware 7. Validate HSM policy settings prior to calling SetPolicies. |
CA_WaitForSlotEvent | For PCMCIA HSMs, extends C_WaitForSlotEvent and provides some history of events. |
CA_Zeroize | Zeroize the HSM. |