FM PKCS#11 EXTENSION FUNCTIONS - updated for post-7.7.0 HSM version

Functions in the list below are called PKCS#11 extensions. They are provided by the Thales’s implementation of the PKCS#11 Cryptoki library. The PKCS#11 standard itself does not specify them.

Identical functions also exist in the Luna HSM client software. The only difference is that the client’s versions of the functions have a ‘CA_’ prefix in their names instead of the ‘FM_’ prefix. ‘CA_’ equivalents are fully described in Luna HSM SDK Reference [see Extensions to PKCS#11]. By extension, their descriptions fully apply to the functions listed in this section.

Operation concepts of Luna HSMs related to the functions are described in About the HSM Administration Guide and About the Partition Administration Guide.

FM code must include “fmsupt.h” to use any of the functions below.

"FM_SMKRollover"

"FM_Bip32ExportPublicKey"

"FM_Bip32ImportPublicKey"

"FM_OpenSessionWithAppIDV2"

"FM_CloseApplicationIDV2"

"FM_CloseApplicationIDForContainerV2"

"FM_OpenApplicationIDV2"

"FM_OpenApplicationIDForContainerV2"

"FM_SetApplicationIDV2"

"FM_RandomizeApplicationID"

"FM_GetApplicationID"

"FM_SIMExtract"

"FM_SIMInsert"

"FM_SIMMultiSign"

"FM_AuthorizeKey"

"FM_SetAuthorizationData"

"FM_ResetAuthorizationData"

"FM_AssignKey"

"FM_IncrementFailedAuthCount"

"FM_DeriveKeyAndWrap"

"FM_GetSessionInfoV2"

"FM_CloneAsSourceInit"

"FM_CloneAsTargetInit"

"FM_CloneAsSource"

"FM_CloneAsTarget"

"FM_GetConfigurationElementDescription"

"FM_GetHSMCapabilities"

"FM_GetHSMCapabilitySetting"

"FM_GetHSMPolicies"

"FM_GetHSMPolicySetting"

"FM_GetTokenCapabilities"

"FM_GetTokenCapabilitySetting"

"FM_GetTokenPolicies"

"FM_GetTokenPolicySetting"

"FM_FindAdminSlotForSlot"

FM EXTENSIONS TO THE STANDARD C LIBRARY

This section describes two functions that work similar to standard memset() and memcmp(), but that guarantee properties that standard functions might not provide.

fm_memisequal()

Similar to the standard memcmp() function, except it guarantees that the time taken by comparison is strictly proportional to the length of the comparison. In other words, comparison takes the same time regardless if the memory areas being compared are different or equal. This property is sometimes called constant time comparison.

Another difference is that this function is not a lexicographic comparator. Unlike memcmp, if the compared memory areas differ this function does not indicate which one is greater or smaller in a mathematical sense. It just indicates if the memory areas are equal or not.

Synopsis

#include <fmstring.h>

int fm_memisequal(const void *s1, const void *s2, size_t n);

Input Parameters

s1	Pointer to the first memory area
s2	Pointer to the second memory area
n	number of bytes in s1 and s2 to compare

Output Requirements

Return value: zero if the s1 and s2 memory areas are identical, not zero otherwise.

fm_memzero()

Similar to a call memset(s, 0, n) of the standard C library’s memset() function. Unlike memset(), fm_memzero() guarantees that its call will never be optimized out by the compiler. In other words, it guarantees that the first n bytes of the memory area s will be set to zero even if the compiler considers it not necessary. For example, the compiler can determine that the memory area s is not used by the execution flow of the code after a memset(s, 0, n) call; thus it may consider the memset() call redundant and remove it. This can never happen if fm_memzero function call is used.

Synopsis

#include <fmstring.h>

void fm_memzero(void *s, size_t n);

Input Parameters

S	Pointer to the memory area
N	number of bytes in s to set to zero

Output Requirements

None

CRYPTOGRAPHIC MECHANISMS SUPPORTED BY FM CRYPTO ENGINES

FM Crypto Engines support all mechanisms that the host Thales Cryptoki library accepts for PKCS#11 functions C_EncryptInit(), C_DecryptInit(), C_SignInit(), C_VerifyInit() and C_DigestInit(). The exhaustive list of mechanisms can be found in the Luna HSM SDK Reference [see Supported Mechanisms].

CRYPTOGRAPHIC MECHANISMS SUPPORTED BY FM CIPHER AND HASH OBJECTS

FM Cipher Objects and Hash Objects support the following limited set of mechanisms:

•CKM_AES_ECB

•CKM_AES_CBC

•CKM_AES_CBC_PAD

•CKM_AES_MAC

•CKM_AES_MAC_GENERAL

•CKM_DES_ECB

•CKM_DES_CBC

•CKM_DES_CBC_PAD,

•CKM_DES_MAC

•CKM_DES_MAC_GENERAL

•CKM_DES3_ECB

•CKM_DES3_CBC

•CKM_DES3_CBC_PAD

•CKM_DES3_MAC

•CKM_DES3_MAC_GENERAL

•CKM_CAST128_ECB

•CKM_CAST128_CBC

•CKM_CAST128_CBC_PAD

•CKM_CAST128_MAC

•CKM_CAST128_MAC_GENERAL

•CKM_RC2_ECB

•CKM_RC2_CBC

•CKM_RC2_CBC_PAD

•CKM_RC2_MAC

•CKM_RC2_MAC_GENERAL

•CKM_MD5_HMAC

•CKM_MD5_HMAC_GENERAL

•CKM_SHA_1_HMAC

•CKM_SHA_1_HMAC_GENERAL

•CKM_RIPEMD160_HMAC

•CKM_RIPEMD160_HMAC_GENERAL

•CKM_RSA_X_509

•CKM_RSA_PKCS

•CKM_RSA_PKCS_OAEP

•CKM_RSA_9796

•CKM_MD5_RSA_PKCS

•CKM_SHA1_RSA_PKCS

•CKM_SHA224_RSA_PKCS

•CKM_SHA256_RSA_PKCS

•CKM_SHA384_RSA_PKCS

•CKM_SHA512_RSA_PKCS

•CKM_DSA

•CKM_MD5

•CKM_RIPEMD160

•CKM_SHA_1

•CKM_SHA224

•CKM_SHA256

•CKM_SHA384

•CKM_SHA512



	SUPPORT	LEGAL
Luna Network HSM 7 Documentation © Copyright 2001-2025, Thales Group Last Updated: 2025-12-03 11:20:23 GMT-05:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information