Cryptographic Engine

The Cryptoki interface provides a standardized way of performing cryptographic operations. However a considerable amount of overhead is introduced.

Luna FM SDK package provides internal APIs that bypass the PKCS #11 subsystem to provide high performance cryptographic functionality. This chapter describes the functions in this API. It contains the following functions:

>Single part sign operation

>Single part verify operation

>Single part encrypt operation

>Single part decrypt operation

>Single part digest operation

>Multi-part sign operation init

>Multi-part encrypt operation init

>Multi-part verify operation init

>Multi-part decrypt operation init

>Multi-part digest operation init

>Multi-part sign operation update

>Multi-part verify operation update

>Multi-part decrypt operation update

>Multi-part encrypt operation update

>Multi-part digest operation update

>Multi-part sign operation final

>Multi-part verify operation final

>Multi-part decrypt operation final

>Multi-part encrypt operation final

>Multi-part digest operation final

Parameters

The Crypto Engine API uses PKCS#11 parameters for all parameters except for keys.

For a full list of supported mechanisms refer to Supported Mechanisms.

The <FMCE_KEY_PTR> parameter is a pointer to a union of all supported key types. For more details and a list of supported key types refer to the fmcrypto.h header file.

Single part sign operation

CK_RV FMCE_Sign(
               CK_MECHANISM_PTR pMech,  // IN: mechanism type and parameters
               FMCE_KEY_PTR     pKey,   // IN: key value
 
               CK_ULONG         ulDataInLen,  // len of data to sign
               CK_BYTE_PTR      pDataIn,      // IN: data to sign
               CK_ULONG_PTR     pulSigOutLen, // IN: len of sig buf OUT: len of signature
               CK_BYTE_PTR      pSigOut       // OUT: signature
                      );

Single part verify operation

extern CK_RV FMCE_Verify(
               CK_MECHANISM_PTR pMech,  // IN: mechanism type and parameters
               FMCE_KEY_PTR     pKey,   // IN: key value
 
               CK_ULONG         ulDataInLen,  // len of signed data 
               CK_BYTE_PTR      pDataIn,      // IN: signed data
               CK_ULONG         ulSigLen,     // len of signature
               CK_BYTE_PTR      pSig);        // IN: signature

Single part encrypt operation

CK_RV FMCE_Encrypt(
               CK_MECHANISM_PTR pMech,  // mechanism type and parameters
               FMCE_KEY_PTR     pKey,   // key value
 
               CK_ULONG         ulDataInLen,
               CK_BYTE_PTR      pDataIn,
               CK_ULONG_PTR     pulOutLen,
               CK_BYTE_PTR      pOut);

Single part decrypt operation

CK_RV FMCE_Decrypt(
               CK_MECHANISM_PTR pMech,  // mechanism type and parameters
               FMCE_KEY_PTR     pKey,   // key value
 
               CK_ULONG         ulDataInLen,
               CK_BYTE_PTR      pDataIn,
               CK_ULONG_PTR     pulOutLen,
               CK_BYTE_PTR      pOut);

Single part digest operation

CK_RV FMCE_Digest(
               CK_MECHANISM_PTR pMech,  // IN: mechanism type and parameters
 
               CK_ULONG         ulDataInLen,  // len of data to digest
               CK_BYTE_PTR      pDataIn,      // IN: data to digest
               CK_ULONG_PTR     pulDigOutLen, // IN: len of digest uffer OUT: len of digest
               CK_BYTE_PTR      pDigOut       // OUT: digest
                        );

Multi-part sign operation init

CK_RV FMCE_SignInit(
               CK_MECHANISM_PTR pMech,  // IN: mechanism type and parameters
               FMCE_KEY_PTR     pKey,   // IN: key value
 
               FMCE_HANDLE_PTR  pCtxHdl // OUT: handle for following calls
                         );

Multi-part encrypt operation init

CK_RV FMCE_EncInit(
               CK_MECHANISM_PTR pMech,  // mechanism type and parameters
               FMCE_KEY_PTR     pKey,   // key value
 
               FMCE_HANDLE_PTR  pCtxHdl // OUT: handle for following calls
                         );

Multi-part verify operation init

CK_RV FMCE_VerifyInit(
               CK_MECHANISM_PTR pMech,  // mechanism type and parameters
               FMCE_KEY_PTR     pKey,   // key value
 
               FMCE_HANDLE_PTR  pCtxHdl // OUT: handle for following calls
                         );

Multi-part decrypt operation init

CK_RV FMCE_DecInit(
               CK_MECHANISM_PTR pMech,  // mechanism type and parameters
               FMCE_KEY_PTR     pKey,   // key value
 
               FMCE_HANDLE_PTR  pCtxHdl // OUT: handle for following calls
                         );

Multi-part digest operation init

CK_RV FMCE_DigestInit(
               CK_MECHANISM_PTR pMech,  // mechanism type and parameters
 
               FMCE_HANDLE_PTR  pCtxHdl // OUT: handle for following calls
                         );

Multi-part sign operation update

CK_RV FMCE_SignUpdate(
               FMCE_HANDLE     ulCtxHdl,    // handle from init operation
               CK_ULONG        ulDataInLen, // len of data to sign
               CK_BYTE_PTR     pDataIn      // IN: data to sign
                            );

Multi-part verify operation update

CK_RV FMCE_VerifyUpdate(
               FMCE_HANDLE     ulCtxHdl,    // handle from init operation
               CK_ULONG        ulDataInLen, // len of signed data
               CK_BYTE_PTR     pDataIn      // IN: signed data
                              );

Multi-part decrypt operation update

CK_RV FMCE_DecUpdate(
               FMCE_HANDLE     ulCtxHdl,    // handle from init operation
               CK_ULONG        ulDataInLen, // len of cipher data
               CK_BYTE_PTR     pDataIn,     // IN: cipher data
               CK_ULONG_PTR    pulDataOutLen, // IN: o/p data len OUT: len clear text
               CK_BYTE_PTR     pDataOut     // OUT: clear text
                          );

Multi-part encrypt operation update

CK_RV FMCE_EncUpdate(
               FMCE_HANDLE     ulCtxHdl,     // handle from init operation
               CK_ULONG        ulDataInLen,  // len clear text
               CK_BYTE_PTR     pDataIn,      // IN: clear text
               CK_ULONG_PTR    pulDataOutLen,// IN: len cipher text buffer OUT: len cipher text
               CK_BYTE_PTR     pDataOut      // OUT: cipher text
                           );

Multi-part digest operation update

CK_RV FMCE_DigestUpdate(
               FMCE_HANDLE     ulCtxHdl,     // handle from init operation
               CK_ULONG        ulDataInLen,  // len of data
               CK_BYTE_PTR     pDataIn       // IN: data to digest
                              );

Multi-part sign operation final

CK_RV FMCE_SignFinal(
               FMCE_HANDLE     ulCtxHdl,     // handle from init operation
               CK_ULONG        ulMacLen,     // len (in bytes) of MAC (only for MAC operations) else ignored
               CK_ULONG_PTR    pulSigOutLen, // IN: len of signature buffer OUT: len of signature
               CK_BYTE_PTR     pSigOut       // OUT: signature
                          );

Multi-part verify operation final

CK_RV FMCE_VerifyFinal(
               FMCE_HANDLE     ulCtxHdl,     // handle from init operation
               CK_ULONG        ulSigInLen,   // len of signature
               CK_BYTE_PTR     pSigIn        // IN: signature
                             );

Multi-part decrypt operation final

CK_RV FMCE_DecFinal(
               FMCE_HANDLE     ulCtxHdl,     // handle from init operation
               CK_ULONG_PTR    pulDataOutLen,// IN: len of clear text buffer OUT: len of clear text
               CK_BYTE_PTR     pDataOut      // OUT: clear text
                          );

Multi-part encrypt operation final

CK_RV FMCE_EncFinal(
               FMCE_HANDLE     ulCtxHdl,     // handle from init operation
               CK_ULONG_PTR    pulDataOutLen,// IN: len of buffer OUT: len cipher text
               CK_BYTE_PTR     pDataOut      // OUT: cipher text
                         );

Multi-part digest operation final

CK_RV FMCE_DigestFinal(
               FMCE_HANDLE     ulCtxHdl,     // handle from init operation
               CK_ULONG_PTR    pulDigOutLen, // IN: len of buffer OUT: len of digest 
               CK_BYTE_PTR     pDigOut       // OUT: digest

Supported Mechanisms

As of Luna HSM Firmware 7.7.0, the FM cryptographic engine supports all mechanisms that the host Thales Cryptoki library accepts for the following PKCS#11 functions:

>C_EncryptInit()

>C_DecryptInit()

>C_SignInit()

>C_VerifyINit()

>C_DigestInit()

For an exhaustive list of supported mechanisms, refer to Firmware 7.7.0 Mechanisms.