Cryptographic Engine
The Cryptoki interface provides a standardized way of performing cryptographic operations. However a considerable amount of overhead is introduced.
Luna FM SDK package provides internal APIs that bypass the PKCS #11 subsystem to provide high performance cryptographic functionality. This chapter describes the functions in this API. It contains the following functions:
>Single part encrypt operation
>Single part decrypt operation
>Multi-part sign operation init
>Multi-part encrypt operation init
>Multi-part verify operation init
>Multi-part decrypt operation init
>Multi-part digest operation init
>Multi-part sign operation update
>Multi-part verify operation update
>Multi-part decrypt operation update
>Multi-part encrypt operation update
>Multi-part digest operation update
>Multi-part sign operation final
>Multi-part verify operation final
>Multi-part decrypt operation final
>Multi-part encrypt operation final
>Multi-part digest operation final
Parameters
The Crypto Engine API uses PKCS#11 parameters for all parameters except for keys.
For a full list of supported mechanisms refer to Supported Mechanisms.
The <FMCE_KEY_PTR> parameter is a pointer to a union of all supported key types. For more details and a list of supported key types refer to the fmcrypto.h header file.
Single part sign operation
CK_RV FMCE_Sign( CK_MECHANISM_PTR pMech, // IN: mechanism type and parameters FMCE_KEY_PTR pKey, // IN: key value CK_ULONG ulDataInLen, // len of data to sign CK_BYTE_PTR pDataIn, // IN: data to sign CK_ULONG_PTR pulSigOutLen, // IN: len of sig buf OUT: len of signature CK_BYTE_PTR pSigOut // OUT: signature );
Single part verify operation
extern CK_RV FMCE_Verify( CK_MECHANISM_PTR pMech, // IN: mechanism type and parameters FMCE_KEY_PTR pKey, // IN: key value CK_ULONG ulDataInLen, // len of signed data CK_BYTE_PTR pDataIn, // IN: signed data CK_ULONG ulSigLen, // len of signature CK_BYTE_PTR pSig); // IN: signature
Single part encrypt operation
CK_RV FMCE_Encrypt( CK_MECHANISM_PTR pMech, // mechanism type and parameters FMCE_KEY_PTR pKey, // key value CK_ULONG ulDataInLen, CK_BYTE_PTR pDataIn, CK_ULONG_PTR pulOutLen, CK_BYTE_PTR pOut);
Single part decrypt operation
CK_RV FMCE_Decrypt( CK_MECHANISM_PTR pMech, // mechanism type and parameters FMCE_KEY_PTR pKey, // key value CK_ULONG ulDataInLen, CK_BYTE_PTR pDataIn, CK_ULONG_PTR pulOutLen, CK_BYTE_PTR pOut);
Single part digest operation
CK_RV FMCE_Digest( CK_MECHANISM_PTR pMech, // IN: mechanism type and parameters CK_ULONG ulDataInLen, // len of data to digest CK_BYTE_PTR pDataIn, // IN: data to digest CK_ULONG_PTR pulDigOutLen, // IN: len of digest uffer OUT: len of digest CK_BYTE_PTR pDigOut // OUT: digest );
Multi-part sign operation init
CK_RV FMCE_SignInit( CK_MECHANISM_PTR pMech, // IN: mechanism type and parameters FMCE_KEY_PTR pKey, // IN: key value FMCE_HANDLE_PTR pCtxHdl // OUT: handle for following calls );
Multi-part encrypt operation init
CK_RV FMCE_EncInit( CK_MECHANISM_PTR pMech, // mechanism type and parameters FMCE_KEY_PTR pKey, // key value FMCE_HANDLE_PTR pCtxHdl // OUT: handle for following calls );
Multi-part verify operation init
CK_RV FMCE_VerifyInit( CK_MECHANISM_PTR pMech, // mechanism type and parameters FMCE_KEY_PTR pKey, // key value FMCE_HANDLE_PTR pCtxHdl // OUT: handle for following calls );
Multi-part decrypt operation init
CK_RV FMCE_DecInit( CK_MECHANISM_PTR pMech, // mechanism type and parameters FMCE_KEY_PTR pKey, // key value FMCE_HANDLE_PTR pCtxHdl // OUT: handle for following calls );
Multi-part digest operation init
CK_RV FMCE_DigestInit( CK_MECHANISM_PTR pMech, // mechanism type and parameters FMCE_HANDLE_PTR pCtxHdl // OUT: handle for following calls );
Multi-part sign operation update
CK_RV FMCE_SignUpdate( FMCE_HANDLE ulCtxHdl, // handle from init operation CK_ULONG ulDataInLen, // len of data to sign CK_BYTE_PTR pDataIn // IN: data to sign );
Multi-part verify operation update
CK_RV FMCE_VerifyUpdate( FMCE_HANDLE ulCtxHdl, // handle from init operation CK_ULONG ulDataInLen, // len of signed data CK_BYTE_PTR pDataIn // IN: signed data );
Multi-part decrypt operation update
CK_RV FMCE_DecUpdate( FMCE_HANDLE ulCtxHdl, // handle from init operation CK_ULONG ulDataInLen, // len of cipher data CK_BYTE_PTR pDataIn, // IN: cipher data CK_ULONG_PTR pulDataOutLen, // IN: o/p data len OUT: len clear text CK_BYTE_PTR pDataOut // OUT: clear text );
Multi-part encrypt operation update
CK_RV FMCE_EncUpdate( FMCE_HANDLE ulCtxHdl, // handle from init operation CK_ULONG ulDataInLen, // len clear text CK_BYTE_PTR pDataIn, // IN: clear text CK_ULONG_PTR pulDataOutLen,// IN: len cipher text buffer OUT: len cipher text CK_BYTE_PTR pDataOut // OUT: cipher text );
Multi-part digest operation update
CK_RV FMCE_DigestUpdate( FMCE_HANDLE ulCtxHdl, // handle from init operation CK_ULONG ulDataInLen, // len of data CK_BYTE_PTR pDataIn // IN: data to digest );
Multi-part sign operation final
CK_RV FMCE_SignFinal( FMCE_HANDLE ulCtxHdl, // handle from init operation CK_ULONG ulMacLen, // len (in bytes) of MAC (only for MAC operations) else ignored CK_ULONG_PTR pulSigOutLen, // IN: len of signature buffer OUT: len of signature CK_BYTE_PTR pSigOut // OUT: signature );
Multi-part verify operation final
CK_RV FMCE_VerifyFinal( FMCE_HANDLE ulCtxHdl, // handle from init operation CK_ULONG ulSigInLen, // len of signature CK_BYTE_PTR pSigIn // IN: signature );
Multi-part decrypt operation final
CK_RV FMCE_DecFinal( FMCE_HANDLE ulCtxHdl, // handle from init operation CK_ULONG_PTR pulDataOutLen,// IN: len of clear text buffer OUT: len of clear text CK_BYTE_PTR pDataOut // OUT: clear text );
Multi-part encrypt operation final
CK_RV FMCE_EncFinal( FMCE_HANDLE ulCtxHdl, // handle from init operation CK_ULONG_PTR pulDataOutLen,// IN: len of buffer OUT: len cipher text CK_BYTE_PTR pDataOut // OUT: cipher text );
Multi-part digest operation final
CK_RV FMCE_DigestFinal( FMCE_HANDLE ulCtxHdl, // handle from init operation CK_ULONG_PTR pulDigOutLen, // IN: len of buffer OUT: len of digest CK_BYTE_PTR pDigOut // OUT: digest
Supported Mechanisms
As of Luna HSM Firmware 7.7.0, the FM cryptographic engine supports all mechanisms that the host Thales Cryptoki library accepts for the following PKCS#11 functions:
>C_EncryptInit()
>C_DecryptInit()
>C_SignInit()
>C_VerifyINit()
>C_DigestInit()
For an exhaustive list of supported mechanisms, refer to Firmware 7.7.0 Mechanisms.