PKCS#11 Compliance
This section shows the compliance of Luna Software Development Kit HSM products to the PKCS#11 standard, with reference to particular versions of the standard. The text of the standard is not reproduced here.
Supported PKCS#11 Services
The table below identifies which PKCS#11 services this version of Luna Software Development Kit supports. The table following lists other features of PKCS#11 and identifies the compliance of this version of the Luna Software Development Kit to these features.
| Category | Function | Supported on Luna partitions | Supported on Luna keyrings |
|---|---|---|---|
| General purpose functions | C_Initialize | Yes | Yes |
| C_Finalize | Yes | Yes | |
| C_GetInfo | Yes | Yes | |
| C_GetFunctionList | Yes | Yes | |
| Slot and token management functions | C_GetSlotList | Yes | Yes |
| C_GetSlotInfo | Yes | Yes | |
| C_GetTokenInfo | Yes | Yes | |
| C_WaitForSlotEvent | No | No | |
| C_GetMechanismList | Yes | Yes | |
| C_GetMechanismInfo | Yes | Yes | |
| C_InitToken | Yes | Yes | |
| C_InitPIN | Yes | Yes | |
| C_SetPIN | Yes | Yes | |
| Session management functions | C_OpenSession | Yes | Yes |
| C_CloseSession | Yes | Yes | |
| C_CloseAllSessions | Yes | Yes | |
| C_GetSessionInfo | Yes | Yes | |
| C_GetOperationState | Yes | No | |
| C_SetOperationState | Yes | No | |
| C_Login | Yes | Yes | |
| C_Logout | Yes | Yes | |
| Object management functions | C_CreateObject | Yes | Yes |
| C_CopyObject | Yes | No | |
| C_DestroyObject | Yes | Yes | |
| C_GetObjectSize | Yes | Yes | |
| C_GetAttributeValue | Yes | Yes | |
| C_SetAttributeValue | Yes | Yes | |
| C_FindObjectsInit | Yes | Yes | |
| C_FindObjects | Yes | Yes | |
| C_FindObjectsFinal | Yes | Yes | |
| Encryption functions | C_EncryptInit | Yes | Yes |
| C_Encrypt | Yes | Yes | |
| C_EncryptUpdate | Yes | Yes | |
| C_EncryptFinal | Yes | Yes | |
| Decryption functions | C_DecryptInit | Yes | Yes |
| C_Decrypt | Yes | Yes | |
| C_DecryptUpdate | Yes | Yes | |
| C_DecryptFinal | Yes | Yes | |
| Message digesting functions | C_DigestInit | Yes | Yes |
| C_Digest | Yes | Yes | |
| C_DigestUpdate | Yes | Yes | |
| C_DigestKey | Yes | Yes | |
| C_DigestFinal | Yes | Yes | |
| Signing and MACing functions | C_SignInit | Yes | Yes |
| C_Sign | Yes | Yes | |
| C_SignUpdate | Yes | Yes | |
| C_SignFinal | Yes | Yes | |
| C_SignRecoverInit | No | No | |
| C_SignRecover | No | No | |
| Functions for verifying signatures and MACs | C_VerifyInit | Yes | Yes |
| C_Verify | Yes | Yes | |
| C_VerifyUpdate | Yes | Yes | |
| C_VerifyFinal | Yes | Yes | |
| C_VerifyRecoverInit | No | No | |
| C_VerifyRecover | No | No | |
| Dual-purpose cryptographic functions | C_DigestEncryptUpdate | No | No |
| C_DecryptDigestUpdate | No | No | |
| C_SignEncryptUpdate | No | No | |
| C_DecryptVerifyUpdate | No | No | |
| Key management functions | C_GenerateKey | Yes | Yes |
| C_GenerateKeyPair | Yes | Yes | |
| C_WrapKey | Yes | Yes | |
| C_UnwrapKey* | Yes | Yes | |
| C_DeriveKey | Yes | Yes | |
| Random number generation functions | C_SeedRandom | Yes | No |
| C_GenerateRandom | Yes | Yes | |
| Parallel function management functions | C_GetFunctionStatus | No | No |
| C_CancelFunction | No | No | |
| Callback function | No | No |
*C_UnwrapKey has support for the CKA_Unwrap_Template object. All mechanisms which perform the unwrap function support an unwrap template. Nested templates are not supported.
| Feature | Supported? |
|---|---|
| Exclusive sessions | Yes |
| Parallel sessions | No |
Key Check Values
The Luna HSM firmware calculates a checksum or key check value for each key object created by the HSM. This value or checksum length is fixed at 3 bytes, as defined by PKCS#11.
Additional Functions
Please note that certain additional functions have been implemented by Thales as extensions to the standard. These include aspects of object cloning, and are described in detail in Luna Extensions to PKCS#11.
