Luna Extensions to PKCS#11
The following table provides a list of the Luna PKCS#11 C-API extensions. Some functions are firmware-dependent, as indicated. Where there is a firmware dependency, the specified firmware version applies to all minor revisions of the firmware. In the following table, if no firmware version/series is mentioned, then the extension applies to all. If a firmware version is mentioned, then the extension applies to that firmware series, but not to others.
These commands and functions can also be used as extensions to other Application Programming Interfaces (for example, OpenSSL).
The current release of Luna Toolkit provides the Chrystoki library supporting version 2.20 of the Cryptoki standard.
CA_ActivateMofN
Activate a token that has the secret sharing feature enabled.
CA_ActivateMofN(CK_SESSION_HANDLE hSession,
CA_MOFN_ACTIVATION_PTR pVectors,
CK_ULONG ulVectorCount);
CA_AddKCV
Allows the Partition Security Officer to add an additional Key Cloning Vector (KCV or cloning domain) to the partition. See also Universal Cloning and Luna HSM Cloning API CPv4 Extensions to PKCS#11.
Requires minimum Luna HSM Firmware 7.8.0 and Luna HSM Client 10.5.0.
CA_AddKCV(CK_SESSION_HANDLE hSession,
CK_ULONG ulKCVLength,
CK_BYTE_PTR pKCV,
CK_ULONG ulLabelLength,
CK_BYTE_PTR pLabel,
CK_BBOOL bMakePrimary);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | A session on the partition authenticated by the Partition Security Officer. |
| ulKCVLength | The length of the KCV pointed to by pKCV. If the KCV is to be entered via a Luna PED, the length must be zero. |
|
| pKCV | A pointer to a byte array that contains the KCV value. If the KCV is to be entered via a Luna PED, this pointer must be set to NULL. | |
| ulLabelLength | The length of the label pointed to by pLabel. The label length cannot be 0. |
|
| pLabel | A pointer to a buffer that contains the label for the domain to be added. The label must be between 1 and 32 bytes in length and is NOT a NULL terminated string. This parameter cannot be NULL. | |
| bMakePrimary | Boolean flag to indicate that the new domain should be the primary domain. |
| Return Code | Hex | Description |
|---|---|---|
| CKR_DOMAIN_LABEL_ALREADY_EXISTS | This error is returned when the label provided for a new domain, or when changing the label of an existing domain, already exists. This includes trying to create a domain with no label when there is already a domain with no label. | |
| CKR_DOMAIN_MANAGEMENT_NOT_ALLOWED | Partition policy 44: Allow Extended Domain Management is disabled, or the domain specified is of a different authentication type than the HSM (specifying a multifactor quorum domain on a password-authenticated HSM or vice-versa). | |
| CKR_DOMAIN_MAX_REACHED | This error is returned when an attempt to add a domain is made, but the limit has already been reached. |
CA_AssignKey
Flag a key as assigned by setting its CKA_ASSIGNED attribute to 1, and is available to the CO role only, and only for the unassigned keys. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_AssignKey(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| hObject |
The object handle. The key specified has to satisfy the following conditions: >It must have CKA_AUTH_DATA >It must have CKA_EXTRACTABLE = false >It must have CKA_SENSITIVE = true >It must have CKA_MODIFIABLE = false |
| Return Code | Hex | Description |
|---|---|---|
| CKR_ASSIGNED_KEY_REQUIRES_AUTH_DATA | ||
| CKR_ROLE_CANNOT_MAKE_KEYS_ASSIGNED | ||
| CKR_INVALID_ASSIGNED_ATTRIBUTE_TRANSITION | ||
| CKR_ASSIGNED_KEY_FAILED_ATTRIBUTE_DEPENDENCIES |
See also Per-Key Authorization API.
CA_AuthorizeKey
Explicitly authorize a key (assigned or unassigned) by key handle in a given session. This function can be used only in an already-authenticated session for any role. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_AuthorizeKey(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject,
CK_UTF8CHAR_PTR pAuthData,
CK_ULONG ulAuthDataLen);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| hObject |
The object handle. |
|
| pAuthData |
The user's authentication data. |
|
| ulAuthDataLen |
The length of the authentication data. |
See also Per-Key Authorization API.
CA_Bip32ExportPublicKey
Export BIP32 public keys. The specified object is extracted from the HSM and encoded in the BIP32 format. The result is a NULL-terminated string and is placed in the pPublicSerialData parameter. The length of pPublicSerialData has a maximum of 112 characters. This constant is defined as CKG_BIP32_MAX_SERIALIZED_LEN. It’s possible that not all characters are needed to serialize the key. Any unused characters are set to 0. Requires minimum Luna HSM Firmware 7.3.0 and Luna HSM Client 7.3.0.
CA_Bip32ExportPublicKey(CK_SESSION_HANDLE hSession,
CK_ULONG ulObjectHandle,
CK_BYTE_PTR pPublicSerialData,
CK_ULONG_PTR pulPublicSerialLen); //in: max.buffer size
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| ulObjectHandle |
The object handle. |
|
| Out | pPublicSerialData |
A NULL-terminated string containing the exported key, in BIP32 Serialization Format. |
| pulPublicSerialLen |
The length of the exported key string in pPublicSerialData. |
Private Key Export
Use existing PKCS#11 functions to import private keys. Key Export Mode must be set on the HSM. Export keys by calling C_WrapKey() followed by C_Decrypt*(). Use C_WrapKey() and C_UnwrapKey() to store keys off the HSM, or to move them between HSMs.
See also BIP32 Mechanism Support and Implementation.
CA_Bip32ImportPublicKey
Import BIP32 public keys. The function is similar to C_CreateObject() but it takes an additional parameter for the serialized public key. The template passed in should contain all the desired non-BIP32 attributes like CKA_TOKEN, CKA_PRIVATE, CKA_DERIVE, etc. The function decodes the public key to get all the BIP32 attributes. Both sets of attributes are then used to create the public key on the HSM. Requires minimum Luna HSM Firmware 7.3.0 and Luna HSM Client 7.3.0.
NOTE When importing a serialized extended public key, implementations must verify whether the X coordinate in the public key data corresponds to a point on the curve. If not, the extended public key is invalid.
CA_Bip32ImportPublicKey(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pBase58Key,
CK_ULONG usKeyLen,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG usCount,
CK_OBJECT_HANDLE_PTR phImportedObject);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| pBase58Key |
The key to be imported, in BIP32 Serialization Format. |
|
| usKeyLen |
The length of the key to be imported. |
|
| pTemplate |
The template for the key attributes to be applied to the imported key, as follows: CK_ATTRIBUTE template[] =
{
{CKA_TOKEN, &bToken, sizeof(bToken)},
{CKA_PRIVATE, &bTrue, sizeof(bTrue)},
{CKA_DERIVE, &bTrue, sizeof(bTrue)},
{CKA_MODIFIABLE, &bTrue, sizeof(bTrue)},
{CKA_LABEL, pbLabel, strlen(pbLabel)},
};
|
|
| usCount |
The length of the array of attributes in pTemplate. |
|
| Out | phImportedObject |
The handle for the newly-created key is stored here, if the import was successful. |
Private Key Import
Use existing PKCS#11 functions to import private keys. Key Export Mode must be set on the HSM. Import a key by calling C_Encrypt*() on the serialized key followed by C_UnwrapKey().
See also BIP32 Mechanism Support and Implementation.
CA_CapabilityUpdate
Apply a configuration update file as Security Officer only.
CA_CapabilityUpdate(CK_SESSION_HANDLE hSession,
CK_ULONG ulManifestLen,
CK_BYTE_PTR pManifest,
CK_ULONG ulAuthcodeLen,
CK_BYTE_PTR pAuthcode);
CA_ChangeKCVLabel
Allows the Partition Security Officer to change the label of a KCV (cloning domain). The primary use of this API is to add a label to a pre-existing KCV that does not already have a label. It can also be used to change an existing label of a KCV, which may be useful when merging/splitting domains and the same domain label has been used for different KCV values. See also Universal Cloning and Luna HSM Cloning API CPv4 Extensions to PKCS#11.
Requires minimum Luna HSM Firmware 7.8.0 and Luna HSM Client 10.5.0.
CA_ChangeKCVLabel(CK_SESSION_HANDLE hSession,
CK_ULONG ulOldLabelLength,
CK_BYTE_PTR pOldLabel,
CK_ULONG ulNewLabelLength,
CK_BYTE_PTR pNewLabel);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | A session on the partition authenticated by the Partition Security Officer. |
| ulOldLabelLength | The length of the label pointed to by pOldLabel. If pOldLabel is NULL, then this value must be 0. |
|
| pOldLabel | A pointer to a buffer that contains the label for the domain to be re-labelled. To add a label to a domain that does not already have one, this value must be NULL. | |
| ulNewLabelLength | The length of the label pointed to by pNewLabel. The label length cannot be 0. |
|
| pNewLabel |
A pointer to a buffer that contains the new label for the domain. The label must be between 1 and 32 bytes in length and is NOT a NULL terminated string. This parameter cannot be NULL. |
| Return Code | Hex | Description |
|---|---|---|
| CKR_DOMAIN_LABEL_ALREADY_EXISTS | This error is returned when the label provided for a new domain, or when changing the label of an existing domain, already exists. This includes removing a domain’s label when there is already a domain with no label. | |
| CKR_DOMAIN_LABEL_INVALID | The specified domain label does not match a domain that is currently assigned to the partition, or the new label does not meet the length requirement. |
CA_ChangeLabel
CA_ChangeLabel(CK_SESSION_HANDLE hSession,
CK_SLOT_ID ulSlotID,
CK_CHAR_PTR pulLabel,
CK_ULONG ulLabelLen);
CA_CheckOperationState
Check if the specified cryptographic operation (encrypt, decrypt, sign, verify, digest) is in progress or not in the given session.
CA_CheckOperationState(CK_SESSION_HANDLE hSession,
CK_ULONG operation,
CK_BBOOL *pactive);
CA_ChoosePrimarySlot
CA_ChoosePrimarySlot(CK_SESSION_HANDLE hSession);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
CA_ChooseSecondarySlot
CA_ChooseSecondarySlot(CK_SESSION_HANDLE hSession);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
CA_CloneAllObjectsToSession
CA_CloneAllObjectsToSession(CK_SESSION_HANDLE hSession,
CK_SLOT_ID slotId);
CA_CloneAsSource
Clone an object from the source token.
CA_CloneAsSource(CK_SESSION_HANDLE hSession,
CK_ULONG hType,
CK_ULONG hHandle,
CK_BYTE_PTR pPart1,
CK_ULONG ulPart1Size,
CK_BBOOL bReplicate,
CK_BYTE_PTR pPart2,
CK_ULONG_PTR pulPart2Size);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| hType |
Always specify |
|
| hHandle |
The handle of the object being cloned. |
|
| pPart1 |
The Part1 buffer. |
|
| ulPart1Size |
The size of the Part1 buffer. |
|
| bReplicate |
Boolean indicates whether this is a pure cloning operation, or uses network replication: >Cloning to/from Luna PCIe HSM 7 or Luna USB HSM 7: FALSE >Cloning to/from Luna Network HSM 7: TRUE |
|
| Out | pPart2 |
The Part2 buffer. |
| pulPart2Size |
The size of the Part2 buffer. |
See also Luna HSM Cloning API CPv1 - Extensions to PKCS #11, Luna HSM Cloning API CPv3 - Extensions to PKCS #11, and Luna HSM Cloning API CPv4 Extensions to PKCS#11.
CA_CloneAsSourceInit
Initialize the cloning operation on the source token. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_CloneAsSourceInit(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pInParameter,
CK_ULONG ulInParameterSize,
CK_BYTE_PTR pOutParameter,
CK_ULONG_PTR pulOutParameterSize,
CK_BBOOL bReplicate);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| pInParameter |
Always |
|
| ulInParameterSize |
Always |
|
| Out | pOutParameter |
The output of the initialization data (TWC). |
| pulOutParameterSize |
The size of the initialization data (TWC). |
|
| bReplicate |
Boolean indicates whether this is a pure cloning operation, or uses network replication: >Cloning to/from Luna PCIe HSM 7 or Luna USB HSM 7: FALSE >Cloning to/from Luna Network HSM 7: TRUE |
See also Luna HSM Cloning API CPv3 - Extensions to PKCS #11 and Luna HSM Cloning API CPv4 Extensions to PKCS#11.
CA_CloneAsTarget
Clone an object to the target token.
CA_CloneAsTarget(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pKEV,
CK_ULONG ulKEVSize,
CK_BYTE_PTR pPart2,
CK_ULONG ulPart2Size,
CK_ULONG hType,
CK_ULONG hHandle,
CK_BBOOL bReplicate,
CK_OBJECT_HANDLE_PTR phClonedHandle);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| pKEV |
The KEV for the target token. See CA_GenerateCloningKEV. |
|
| ulKEVSize |
The size of the KEV. |
|
| pPart2 |
The Part2 buffer. |
|
| ulPart2Size |
The size of the Part2 buffer. |
|
| hType |
Always specify |
|
| hHandle |
The handle of the object being cloned. |
|
| bReplicate |
Boolean indicates whether this is a pure cloning operation, or uses network replication: >Cloning to/from Luna PCIe HSM 7 or Luna USB HSM 7: FALSE >Cloning to/from Luna Network HSM 7: TRUE |
|
| Out | phClonedHandle |
The handle of the cloned object on the target token. |
See also Luna HSM Cloning API CPv1 - Extensions to PKCS #11, Luna HSM Cloning API CPv3 - Extensions to PKCS #11, and Luna HSM Cloning API CPv4 Extensions to PKCS#11.
CA_CloneAsTargetInit
Initializes the cloning operation on the target token.
CA_CloneAsTargetInit(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pTWC,
CK_ULONG ulTWCSize,
CK_BYTE_PTR pKEV,
CK_ULONG ulKEVSize,
CK_BBOOL bReplicate,
CK_BYTE_PTR pPart1,
CK_ULONG_PTR pulPart1Size);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| pTWC |
The Token Wrapping Certificate (TWC). See CA_GetTokenCertificates. |
|
| ulTWCSize |
The size of the TWC. |
|
| pKEV |
The KEV for the target token. See CA_GenerateCloningKEV. |
|
| ulKEVSize |
The size of the KEV. |
|
| bReplicate |
Boolean indicates whether this is a pure cloning operation, or uses network replication: >Cloning to/from Luna PCIe HSM 7 or Luna USB HSM 7: FALSE >Cloning to/from Luna Network HSM 7: TRUE |
|
| Out | pPart1 |
The Part1 buffer. |
| pulPart1Size |
The size of the Part1 buffer. |
See also Luna HSM Cloning API CPv1 - Extensions to PKCS #11, Luna HSM Cloning API CPv3 - Extensions to PKCS #11, and Luna HSM Cloning API CPv4 Extensions to PKCS#11.
CA_CloneObject
Clone an object from one token to another eligible token (matching domains), visible to the same client.
CA_CloneObject(CK_SESSION_HANDLE hTargetSession,
CK_SESSION_HANDLE hSourceSession,
CK_ULONG ulObjectType,
CK_OBJECT_HANDLE hObjectHandle,
CK_OBJECT_HANDLE_PTR phClonedObject);
| I/O | Argument | Description |
|---|---|---|
| In | hTargetSession |
The handle of the open session on the target token. |
| hSourceSession |
The handle of the open session on the source token. |
|
| ulObjectType |
Always specify |
|
| hObjectHandle |
The handle of the object on the source token to be cloned. |
|
| Out | phClonedObject |
The object handle of the newly cloned object on the target token. |
See also Luna HSM Cloning API CPv1 - Extensions to PKCS #11, Luna HSM Cloning API CPv3 - Extensions to PKCS #11, and Luna HSM Cloning API CPv4 Extensions to PKCS#11.
CA_CloneObjectToAllSessions
CA_CloneObjectToAllSessions(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| Out | hObject |
The object handle. |
CA_ClonePrivateKey
Permit secure transfer of a private key (RSA) between a source token and a target token.
CA_ClonePrivateKey(CK_SESSION_HANDLE hTargetSession,
CK_SESSION_HANDLE hSourceSession,
CK_OBJECT_HANDLE hObjectToCloneHandle,
CK_OBJECT_HANDLE_PTR phClonedKey);
CA_CloningDisableCipherSuite
Allows the Partition Security Officer to disable a cloning cipher suite. Requires Luna HSM Client 10.4.0 or newer.
CA_CloningDisableCipherSuite(CK_SESSION_HANDLE hSession,
CK_ULONG CipherID);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| CipherID |
The cipher ID. |
CA_CloningEnableCipherSuite
Allows the Partition Security Officer to enable a cloning cipher suite. Requires Luna HSM Client 10.4.0 or newer.
CA_CloningEnableCipherSuite(CK_SESSION_HANDLE hSession,
CK_ULONG CipherID);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| CipherID |
The cipher ID. |
CA_CloningGetCipherNameByID
Allows an unauthenticated user to query the asci name for any cloning cipher suite. Requires Luna HSM Client 10.4.0 or newer.
CA_CloningGetCipherNameByID(CK_SLOT_ID slotID,
CK_ULONG ulCipherID,
CK_CHAR_PTR pszName,
CK_ULONG_PTR pulNameBufSize);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
| ulCipherID |
The ID of the cipher suite. |
|
| pszName |
A pointer to an array to receive the name of the cipher suite. If |
|
| pulNameBufSize |
The length of the array pointed to by |
| Return Code | Hex | Description |
|---|---|---|
| CKR_BUFFER_TOO_SMALL | The array pointed to by pszName is too small to receive the array of cipher suite states. |
CA_CloningGetCipherSuiteStates
Allows an unauthenticated user to retrieve the status of each cloning cipher suite. Requires Luna HSM Client 10.4.0 or newer.
CA_CloningGetCipherSuiteStates(CK_SLOT_ID slotID,
CK_ULONG_PTR pulArray,
CK_BYTE_PTR pbArraySize);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
| pulArray | A pointer to an array to receive the status (1=enabled, 0=disabled) of each cipher suite. If pulArray is NULL, no information is returned and pbArraySize is set to the size of the array required to receive the cipher suite states. |
|
| pbArraySize | A pointer to the size of the array pointed to by pulArray. This parameter cannot be NULL. The value pointed to by pbArraySize is set to the actual size of the cipher suite states. |
| Return Code | Hex | Description |
|---|---|---|
| CKR_BUFFER_TOO_SMALL | The array pointed to by pulArray is too small. |
CA_CloseAllSecondarySessions
CA_CloseAllSecondarySessions(CK_SESSION_HANDLE hSession);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
CA_CloseApplicationID
Deactivate an application identifier. This function is deprecated in Luna HSM Firmware 7.7.0 and newer. Use CA_CloseApplicationIDV2 instead.
CA_CloseApplicationID(CK_SLOT_ID slotID,
CK_ULONG ulHigh,
CK_ULONG ulLow);
CA_CloseApplicationIDForContainer
Deactivate an application identifier for a container. This function is deprecated in Luna HSM Firmware 7.7.0 and newer. Use CA_CloseApplicationIDForContainerV2 instead.
CA_CloseApplicationIDForContainer(CK_SLOT_ID slotID,
CK_ULONG ulHigh,
CK_ULONG ulLow,
CK_ULONG ulContainerNumber);
CA_CloseApplicationIDForContainerV2
Deactivate an application identifier for a container. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0. For older firmware/client versions, use CA_CloseApplicationIDForContainer.
CA_CloseApplicationIDForContainerV2(CK_SLOT_ID slotID,
const CK_APPLICATION_ID * pAppId,
CK_ULONG ulContainerNumber);
CA_CloseApplicationIDV2
Deactivate an application identifier. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0. For older firmware/client versions, use CA_CloseApplicationID.
CA_CloseApplicationIDV2(CK_SLOT_ID slotID,
const CK_APPLICATION_ID * pAppId);
CA_CloseSecondarySession
CA_CloseSecondarySession(CK_SESSION_HANDLE hSession,
CK_SLOT_ID slotID,
CK_ULONG slotInstance);
CA_ConfigureRemotePED
Configure the specified slot to use the provided remote PED information (Luna Network HSM 7 only).
CA_ConfigureRemotePED(CK_SLOT_ID slotId,
CK_CHAR_PTR pHostName,
CK_ULONG ulPort,
CK_ULONG_PTR pulPedId);
CA_ConnectRemotePED
Requires Luna HSM Client 10.1.0 or newer.
CA_ConnectRemotePED(CK_SLOT_ID slotId,
CK_ULONG ulPedId,
CK_BBOOL bpwdBased,
CK_CHAR_PTR pPwd);
CA_CreateContainerLoginChallenge
Create a challenge for a partition role.
CA_CreateContainerLoginChallenge(CK_SESSION_HANDLE hSession,
CK_SLOT_ID targetSlotID,
CK_USER_TYPE userType,
CK_ULONG ulChallengeDataSize,
CK_CHAR_PTR pChallengeData,
CK_ULONG_PTR ulOutputDataSize,
CK_CHAR_PTR pOutputData);
CA_CreateLoginChallenge
Create a login challenge for the specified user.
CA_CreateLoginChallenge(CK_SESSION_HANDLE hSession,
CK_USER_TYPE userType,
CK_ULONG ulChallengeDataSize,
CK_CHAR_PTR pChallengeData,
CK_ULONG_PTR ulOutputDataSize,
CK_CHAR_PTR pOutputData);
CA_CV_IssueAdminRequest
Requires Luna HSM Client 10.1.0 or newer.
CA_CV_IssueAdminRequest(CK_SLOT_ID slotID,
CK_BYTE_PTR pRequest,
CK_ULONG requestLen,
CK_BYTE_PTR pResponse,
CK_ULONG_PTR responseLen,
CK_BYTE_PTR pAuditLogOut,
CK_ULONG_PTR auditLogOutLen);
CA_CV_IssueContainerRequest
Requires Luna HSM Client 10.1.0 or newer.
CA_CV_IssueContainerRequest(CK_SLOT_ID slotID,
CK_BYTE_PTR pRequest,
CK_ULONG requestLen,
CK_BYTE_PTR pContainerIn,
CK_ULONG containerInLen,
CK_BYTE_PTR pResponse,
CK_ULONG_PTR responseLen,
CK_BYTE_PTR pAuditLogOut,
CK_ULONG_PTR auditLogOutLen,
CK_BYTE_PTR pContainerOut,
CK_ULONG_PTR containerOutLen);
CA_CV_IssueP11Request
Requires Luna HSM Client 10.1.0 or newer.
CA_CV_IssueP11Request(CK_SLOT_ID slotID,
CK_BYTE_PTR req,
CK_ULONG req_len,
CK_BYTE_PTR resp,
CK_ULONG resp_len,
CK_ULONG_PTR resp_used,
CK_FRAGMENTS_PTR fragments);
CA_Deactivate
Deactivate the specified partition.
CA_Deactivate(CK_SLOT_ID slotId,
CK_USER_TYPE userType);
| I/O | Argument | Description |
|---|---|---|
| In | slotId |
The slot number. |
| userType |
The user role on the partition. |
CA_DecapsulateKey
Creates a new secret key object based on the private key and cipher text generated by an encapsulate operation. The new key is identical to the key returned by encapsulate. This function is a KEM style function. The CKA_DECAPSULATE attribute of the private key, which indicates whether the key supports decapsulation, MUST be CK_TRUE.
Requires minimum Luna HSM Firmware 7.9.0 and Luna HSM Client 10.9.0.
CA_DecapsulateKey(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hPrivateKey,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_BYTE_PTR pCiphertextKey,
CK_ULONG ulCiphertextLen,
CK_OBJECT_HANDLE_PTR phKey);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| pMechanism |
Specifies the mechanism and optional parameters to use for the operation. |
|
| hPrivateKey | The handle of the decapsulating key. | |
| pTemplate | The attributes of the new key. | |
| ulAttributeCount | The number of attributes specified in pTemplate. |
|
| pCiphertextKey | The encrypted key. | |
| ulCiphertextLen | The length of the encrypted key specified in pCiphertextKey. |
|
| Out | phKey | The handle of the new decapsulated key. |
The new key has:
>the CKA_ALWAYS_SENSITIVE attribute set to CK_FALSE,
>the CKA_NEVER_EXTRACTABLE attribute set to CK_FALSE.
>the CKA_EXTRACTABLE set to the value of the input template with a default of CK_TRUE if not provided,
>the CKA_LOCAL attribute set to CKA_FALSE
CA_DeleteContainer
Delete a partition.
CA_DeleteContainer(CK_SESSION_HANDLE hSession);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
CA_DeleteContainerWithHandle
Deletes a partition.
CA_DeleteContainerWithHandle(CK_SESSION_HANDLE hSession,
CK_ULONG ulContainerNumber);
CA_DeleteKCV
Allows the Partition Security Officer to delete domains on the partition. See also Universal Cloning and Luna HSM Cloning API CPv4 Extensions to PKCS#11.
Requires minimum Luna HSM Firmware 7.8.0 and Luna HSM Client 10.5.0.
CA_DeleteKCV(CK_SESSION_HANDLE hSession,
CK_ULONG ulLabelLength,
CK_BYTE_PTR pLabel);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | A session on the partition authenticated by the Partition Security Officer. |
| ulLabelLength | The length of the label pointed to by pLabel. If pLabel is NULL, then this parameter must be set to 0. |
|
| pLabel | A pointer to a buffer that contains the label for the domain to be deleted. If ulLabelLength is 0, then this parameter must be set to NULL. |
| Return Code | Hex | Description |
|---|---|---|
| CKR_DOMAIN_MANAGEMENT_NOT_ALLOWED | Partition policy 44: Allow Extended Domain Management is disabled, or the domain specified is of a different authentication type than the HSM (specifying a multifactor quorum domain on a password-authenticated HSM or vice-versa). | |
| CKR_DOMAIN_LABEL_INVALID | The specified domain label does not does not match a domain that is currently assigned to the partition. |
CA_DeleteRemotePEDVector
Delete the Remote PED Vector (RPV).
CA_DeleteRemotePEDVector(CK_SESSION_HANDLE hSession);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
CA_DeriveKeyandWrap
This function is an optimization of C_DeriveKey with C_Wrap, merging the two functions into one (the in and out constraints are the same as for the individual functions). A further optimization is applied when mechanism CKM_ECDH1_DERIVE is used with CA_DeriveKeyAndWrap.
CA_DeriveKeyAndWrap(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanismDerive,
CK_OBJECT_HANDLE hBaseKey,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_MECHANISM_PTR pMechanismWrap,
CK_OBJECT_HANDLE hWrappingKey,
CK_BYTE_PTR pWrappedKey,
CK_ULONG_PTR pulWrappedKeyLen);
CA_DescribeUtilizationBinId
Requires minimum Luna HSM Firmware 7.3.0 and Luna HSM Client 7.3.0.
CA_DescribeUtilizationBinId(CK_ULONG ulBinId,
CK_CHAR_PTR CK_PTR describe);
CA_DescribeUtilizationCounterId
Requires minimum Luna HSM Firmware 7.3.0 and Luna HSM Client 7.3.0.
CA_DescribeUtilizationCounterId(CK_ULONG ulCounterId,
CK_CHAR_PTR CK_PTR describe);
CA_DestroyMultipleObjects
Delete multiple objects on the specified token.
CA_DestroyMultipleObjects(CK_SESSION_HANDLE hSession,
CK_ULONG ulHandleCount,
CK_OBJECT_HANDLE_PTR pHandleList,
CK_ULONG_PTR pulIndex);
CA_DisableUnauthTokenInsertion
CA_DisableUnauthTokenInsertion(CK_SESSION_HANDLE hSession,
CK_ULONG ulContextHandle);
CA_DisconnectRemotePED
Requires Luna HSM Client 10.1.0 or newer.
CA_DisconnectRemotePED(CK_SLOT_ID slotId,
CK_ULONG ulPedId);
CA_DismantleRemotePED
Reverse the operation of CA_ConfigureRemotePED. Deletes remote PED information for the partition in the specified slot.
CA_DismantleRemotePED(CK_SLOT_ID slotId,
CK_ULONG ulPedId);
CA_DuplicateMofN
Create duplicates of all M of N secret splits.
CA_DuplicateMofN(CK_SESSION_HANDLE hSession);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
CA_EnableUnauthTokenInsertion
CA_EnableUnauthTokenInsertion(CK_SESSION_HANDLE hSession,
CK_ULONG ulMaxUsageCount,
CK_ULONG_PTR ulContextHandle);
CA_EncapsulateKey
Requires minimum Luna HSM Firmware 7.9.0 and Luna HSM Client 10.9.0.
CA_EncapsulateKey(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hPublicKey,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_BYTE_PTR pCiphertext,
CK_ULONG_PTR pulCiphertextLen,
CK_OBJECT_HANDLE_PTR phKey);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| pMechanism |
Specifies the mechanism to use for the operation. |
|
| hPublicKey |
The other party's public key. |
|
| pTemplate |
Attributes of the new symmetric key. |
|
| ulAttributeCount | The number of attributes specified in pTemplate. |
|
| Out | pCiphertext | The encrypted key, or NULL. |
| pulCiphertextLen | The length of the encrypted key returned in pCiphertext. |
|
| phKey | The handle of the new key. |
The CKA_ENCAPSULATE attribute of the private key, which indicates whether the key supports encapsulation, MUST be CK_TRUE.
The new key has:
>the CKA_ALWAYS_SENSITIVE attribute set to CK_FALSE,
>the CKA_NEVER_EXTRACTABLE attribute set to CK_FALSE.
>the CKA_EXTRACTABLE set to the value of the input template with a default of CK_TRUE if not provided,
>the CKA_LOCAL attribute set to CKA_FALSE
>a value for CKA_UNIQUE_ID generated and assigned
CA_EncodeECChar2Params
Encode EC curve parameters for user defined curves.
CA_EncodeECChar2Params(CK_BYTE_PTR DerECParams,
CK_ULONG_PTR DerECParamsLen,
CK_ULONG m,
CK_ULONG k1,
CK_ULONG k2,
CK_ULONG k3,
CK_BYTE_PTR a,
CK_ULONG alen,
CK_BYTE_PTR b,
CK_ULONG blen,
CK_BYTE_PTR seed,
CK_ULONG seedlen,
CK_BYTE_PTR x,
CK_ULONG xlen,
CK_BYTE_PTR y,
CK_ULONG ylen,
CK_BYTE_PTR order,
CK_ULONG orderlen,
CK_BYTE_PTR cofactor,
CK_ULONG cofactorlen);
CA_EncodeECParamsFromFile
Encode EC curve parameters for user defined curves.
CA_EncodeECParamsFromFile(CK_BYTE_PTR DerECParams,
CK_ULONG_PTR DerECParamsLen,
CK_BYTE_PTR paramsFile);
CA_EncodeECPrimeParams
Encode EC curve parameters for user defined curves.
CA_EncodeECPrimeParams(CK_BYTE_PTR DerECParams,
CK_ULONG_PTR DerECParamsLen,
CK_BYTE_PTR prime,
CK_ULONG primelen,
CK_BYTE_PTR a,
CK_ULONG alen,
CK_BYTE_PTR b,
CK_ULONG blen,
CK_BYTE_PTR seed,
CK_ULONG seedlen,
CK_BYTE_PTR x,
CK_ULONG xlen,
CK_BYTE_PTR y,
CK_ULONG ylen,
CK_BYTE_PTR order,
CK_ULONG orderlen,
CK_BYTE_PTR cofactor,
CK_ULONG cofactorlen);
CA_Extract
This API extracts objects or internal CSPs using the specified session id. The API functionality is defined by a mechanism and a mechanism parameter which allows for any functionality to be defined on a per-mechanism basis. This makes it ideal for the CPv4 extract/insert operations and is consistent with the PKCS#11 API. Requires minimum Luna HSM Firmware 7.8.0 and Luna HSM Client 10.5.0.
CA_Extract(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| In/Out | pMechanism |
Specify CKM_CPV4_EXTRACT (0x80000208) for CPv4 extract operations. It takes a parameter, CK_CPV4_EXTRACT_PARAMS (see below). |
The parameter CK_CPV4_EXTRACT_PARAMS is structured as follows:
CK_CPV4_EXTRACT_PARAMS {
CK_ULONG_PTR sessionIdLength;
CK_BYTE sessionId;
CK_ULONG inputLength;
CK_BYTE_PTR input;
CK_ULONG extractionFlags;
CK_ULONG numberOfObjects;
CK_ULONG_PTR objectType;
CK_ULONG_PTR objectHandle;
CK_RV_PTR result;
CK_ULONG_PTR keyBlobLength;
CK_BYTE_PTR_PTR keyBlob;
}
| I/O | Argument | Description |
|---|---|---|
| In | sessionIdLength |
The length of the session ID. |
| sessionId |
The identifier for the session to be used to extract the key blob(s). |
|
| inputLength |
The length of data pointed by “input”. |
|
| input |
When executing step 4 in the API flow, “input” and “inputLength” must refer to a valid memory location with a non-zero size; specifically the output of the final call to CA_MigrationContinueSessionNegotiation. All other calls to this API should be NULL and 0. |
|
| extractionFlags |
Flags used to define how errors are handled during extraction. The default value is 0, which is to return on the first error. The following flag is accepted: >CKF_CONTINUE_ON_ERR (0x01): If specified, the API continues attempting to extract objects if an individual object fails. If the flag is not specified, the API fails after the first failure is encountered. |
|
| numberOfObjects |
Number of objects to be extracted. |
|
| objectType |
An array of object types to define the type of objects pointed to by the array of object handles. Possible values are CK_CRYPTOKI_ELEMENT and CK_PARAM_ELEMENT. |
|
| objectHandle |
An array of object handles, defining the objects to be extracted. |
|
| Out | result | An array of result codes defining the result of each object extraction. This field should be initialized to CKR_CLONE_NOT_ATTEMPTED for all objects. If an error is encountered trying to extract an object, then that error is set in the result field that corresponds to that object. Callers of this API should verify the result field for each object to determine if the object was successfully extracted. |
| keyBlobLength |
An array of length fields that correspond to the array of memory buffers pointed by “keyBlob”. This value and the value pointed to by each array cannot be NULL. |
|
| keyBlob |
An array of the memory buffers to receive the extracted key blobs. This value cannot be NULL. If all of the array elements are NULL, then the required buffer size is returned in keyBlobLength array. Otherwise all values in the array must be non-NULL. |
For information on error codes, see CPv4 PKCS#11 Error Code Summary.
CA_ExtractMaskedObject
CA_ExtractMaskedObject(CK_SESSION_HANDLE hSession,
CK_ULONG ulObjectHandle,
CK_BYTE_PTR pMaskedKey,
CK_ULONG_PTR pusMaskedKeyLen);
CA_FactoryReset
Resets the HSM to factory conditions.
CA_FactoryReset(CK_SLOT_ID slotId,
CK_FLAGS flags);
CA_FindAdminSlotForSlot
Get the Admin slot for the current slot.
CA_FindAdminSlotForSlot(CK_SLOT_ID inputSlot,
CK_SLOT_ID* pSlotId,
CK_SLOT_ID* pPrevSlotId);
CA_FirmwareRollback
Rolls back the HSM firmware to the stored previous version.
CA_FirmwareRollback(CK_SESSION_HANDLE hSession);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
CA_FMActivateSMFS
Requires minimum Luna HSM Firmware 7.4.0 and Luna HSM Client 7.4.0.
CA_FMActivateSMFS(CK_SESSION_HANDLE hTokenSession);
CA_FMDelete
Requires minimum Luna HSM Firmware 7.4.0 and Luna HSM Client 7.4.0.
CA_FMDelete(CK_SESSION_HANDLE hTokenSession,
CK_ULONG fmid);
CA_FMDownload
Requires minimum Luna HSM Firmware 7.4.0 and Luna HSM Client 7.4.0.
CA_FMDownload(CK_SESSION_HANDLE hTokenSession,
CK_OBJECT_HANDLE hObject,
CK_ULONG ulParamLen,
CK_BYTE_PTR pParam,
CK_ULONG ulImageLen,
CK_BYTE_PTR pImage,
CK_ULONG ulSignatureLen,
CK_BYTE_PTR pSignature);
CA_GenerateCloneableMofN
Create a cloneable secret-splitting vector on a token.
CA_GenerateCloneableMofN(CK_SESSION_HANDLE hSession,
CK_ULONG ulM,
CA_MOFN_GENERATION_PTR pVectors,
CK_ULONG ulVectorCount,
CK_ULONG isSecurePortUsed,
CK_VOID_PTR pReserved);
CA_GenerateCloningKEV
Generate a KEV for the token.
CA_GenerateCloningKEV(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pKEV,
CK_ULONG_PTR pulKEVSize);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| Out | pKEV |
The KEV for the target token. See CA_GenerateCloningKEV. |
| pulKEVSize |
The size of the KEV. |
See also Luna HSM Cloning API CPv1 - Extensions to PKCS #11, Luna HSM Cloning API CPv3 - Extensions to PKCS #11, and Luna HSM Cloning API CPv4 Extensions to PKCS#11.
CA_GenerateMofN
Generate the secret information on a token.
CA_GenerateMofN(CK_SESSION_HANDLE hSession,
CK_ULONG ulM,
CA_MOFN_GENERATION_PTR pVectors,
CK_ULONG ulVectorCount,
CK_ULONG isSecurePortUsed,
CK_VOID_PTR pReserved);
CA_GenerateTokenKeys
Generate the private keys used for secure key cloning operations.
CA_GenerateTokenKeys(CK_SESSION_HANDLE hSession,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG usTemplateLen);
CA_GenerateTWK
Requires minimum Luna HSM Firmware 7.4.0 and Luna HSM Client 7.4.0.
CA_GenerateTWK(CK_SLOT_ID slotID,
CK_SESSION_HANDLE hSession,
CK_ULONG ulKeyType,
CK_ULONG ulExpSize,
CK_BYTE_PTR pExponent,
CK_ULONG ulModulusBitSize,
CK_ULONG_PTR pulModSize,
CK_BYTE_PTR pModulus);
CA_Get
Get HSM parameters such as the serial number and certificates.
CA_Get(CK_SLOT_ID slotID,
CK_ULONG ulItem,
CK_BYTE_PTR pBuffer,
CK_ULONG_PTR pulBufferLen);
CA_GetActualSlotList
Requires minimum Luna HSM Firmware 7.4.0 and Luna HSM Client 7.4.0.
CA_GetActualSlotList(CK_SLOT_ID slotId,
CK_ULONG_PTR phsmidx,
CK_SLOT_ID_PTR pActualslotID,
CK_ULONG_PTR pulCount);
CA_GetApplicationID
Get an application's AccessID. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_GetApplicationID(CK_APPLICATION_ID * pAppId,
CK_VOID_PTR pApplication);*/);
CA_GetBlFirmwareVersion
Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_GetBlFirmwareVersion(CK_SLOT_ID slotID,
CK_ULONG_PTR fwMajor,
CK_ULONG_PTR fwMinor,
CK_ULONG_PTR fwSubminor);
CA_GetClusterState
CA_GetClusterState(CK_SLOT_ID slotId,
CK_CLUSTER_STATE_PTR pState);
| I/O | Argument | Description |
|---|---|---|
| In | slotId |
The slot number. |
| Out | pState |
The reported state of the HA group, as defined by the following structure: typedef struct CK_HA_MEMBER{
CK_CHAR memberSerial[16];
CK_RV memberStatus;
}CK_HA_MEMBER;
typedef struct CK_HA_STATUS{
CK_CHAR groupSerial[16];
CK_HA_MEMBER memberList[32];
CK_ULONG listSize;
}CK_HA_STATUS;
typedef CK_HA_MEMBER CK_POINTER CK_HA_MEMBER_PTR;
typedef CK_HA_STATUS CK_POINTER CK_HA_STATE_PTR;
Returns: >groupSerial: The 16-byte serial number of the HA group. >memberList: Array of information on up to 32 HA member partitions as follows: •memberSerial: The 16-byte serial number of the member partition. •memberStatus: The status of the member. >listSize: The length of the memberList array. |
CA_GetConfigurationElementDescription
Get capability and policy descriptions and settings.
Using Luna HSM Client 7.1.0 or newer:
CA_GetConfigurationElementDescription(CK_SLOT_ID slotID,
CK_ULONG ulIsContainerElement,
CK_ULONG ulIsCapabilityElement,
CK_ULONG ulElementId,
CK_ULONG_PTR pulElementBitLength,
CK_ULONG_PTR pulElementDestructive,
CK_ULONG_PTR pulElementWriteRestricted,
CK_CHAR_PTR pDescription,
CK_ULONG_PTR pDesBufSize);
Using Luna HSM Client 7.0.0:
CA_GetConfigurationElementDescription(CK_SLOT_ID slotID,
CK_ULONG ulIsContainerElement,
CK_ULONG ulIsCapabilityElement,
CK_ULONG ulElementId,
CK_ULONG_PTR pulElementBitLength,
CK_ULONG_PTR pulElementDestructive,
CK_ULONG_PTR pulElementWriteRestricted,
CK_CHAR_PTR pDescription);
CA_GetContainerCapabilitySet
Get all partition capability values.
CA_GetContainerCapabilitySet(CK_SLOT_ID uPhysicalSlot,
CK_ULONG ulContainerNumber,
CK_ULONG_PTR pulCapIdArray,
CK_ULONG_PTR pulCapIdSize,
CK_ULONG_PTR pulCapValArray,
CK_ULONG_PTR pulCapValSize);
CA_GetContainerCapabilitySetting
Get a single specified capability value.
CA_GetContainerCapabilitySetting(CK_SLOT_ID slotID,
CK_ULONG ulContainerNumber,
CK_ULONG ulPolicyId,
CK_ULONG_PTR pulPolicyValue);
CA_GetContainerList
Get the list of all partitions on a slot.
CA_GetContainerList(CK_SLOT_ID slotID,
CK_ULONG ulGroupHandle,
CK_ULONG ulContainerType,
CK_ULONG_PTR pulContainerHandles,
CK_ULONG_PTR pulNumberOfHandles);
CA_GetContainerName
Get the name of the partition in the specified slot.
CA_GetContainerName(CK_SLOT_ID slotID,
CK_ULONG ulContainerHandle,
CK_BYTE_PTR pContainerName,
CK_ULONG_PTR pulContainerNameLen);
CA_GetContainerPolicySet
Get all the partition policy values on the specified partition slot.
CA_GetContainerPolicySet(CK_SLOT_ID uPhysicalSlot,
CK_ULONG ulContainerNumber,
CK_ULONG_PTR pulPolicyIdArray,
CK_ULONG_PTR pulPolicyIdSize,
CK_ULONG_PTR pulPolicyValArray,
CK_ULONG_PTR pulPolicyValSize);
CA_GetContainerPolicySetting
Get the value of the specified partition policy setting on the specified partition slot.
CA_GetContainerPolicySetting(CK_SLOT_ID uPhysicalSlot,
CK_ULONG ulContainerNumber,
CK_ULONG ulPolicyId,
CK_ULONG_PTR pulPolicyValue);
CA_GetContainerStatus
Get partition status, which returns authentication status flags.
CA_GetContainerStatus(CK_SLOT_ID slotID,
CK_ULONG ulContainerNumber,
CK_ULONG_PTR pulContainerStatusFlags,
CK_ULONG_PTR pulFailedSOLogins,
CK_ULONG_PTR pulFailedUserLogins,
CK_ULONG_PTR pulFailedLimitedUserLogins);
CA_GetContainerStorageInformation
Get partition storage information such as size, usage, and number of objects.
CA_GetContainerStorageInformation(CK_SLOT_ID slotID,
CK_ULONG ulContainerNumber,
CK_ULONG_PTR pulContainerOverhead,
CK_ULONG_PTR pulTotal,
CK_ULONG_PTR pulUsed,
CK_ULONG_PTR pulFree,
CK_ULONG_PTR pulObjectCount);
CA_GetCurrentHAState
Get HA status from the application perspective. Same functional behavior as CA_GetHAState, but uses parallel checks of members, avoids delays once a peer is found unreachable, and returns all member statuses within 3 seconds. The 3-second return is expected to be achievable for an HA group up to 32 members and is verified in laboratory conditions, when not affected by appliance CPU, memory, network, or HSM bottlenecks that are outside the control of the cryptographic module and its host.
Any failed member statuses are returned following the configured timeout. Timeout defaults to 3 seconds for the check of all group members, but can be set as high as 60 seconds by the statusTimeout configuration option in the HAConfiguration section of the Chrystoki.conf / crystoki.ini file.
NOTE This feature includes internal fail-safes to avoid race conditions, but invocation from an outside application must be threadsafe.
Requires minimum Luna HSM Client 10.7.0. For older client versions, use CA_GetHAState.
CA_GetCurrentHAState(CK_SLOT_ID slotId,
CK_HA_STATE_PTR pState);
| I/O | Argument | Description |
|---|---|---|
| In | slotId |
The slot number. |
| Out | pState |
The reported state of the HA group, as defined by the following structure: typedef struct CK_HA_MEMBER{
CK_CHAR memberSerial[16];
CK_RV memberStatus;
}CK_HA_MEMBER;
typedef struct CK_HA_STATUS{
CK_CHAR groupSerial[16];
CK_HA_MEMBER memberList[32];
CK_ULONG listSize;
}CK_HA_STATUS;
typedef CK_HA_MEMBER CK_POINTER CK_HA_MEMBER_PTR;
typedef CK_HA_STATUS CK_POINTER CK_HA_STATE_PTR;
Returns: >groupSerial: The 16-byte serial number of the HA group. >memberList: Array of information on up to 32 HA member partitions as follows: •memberSerial: The 16-byte serial number of the member partition. •memberStatus: The status of the member. >listSize: The length of the memberList array. |
CA_GetCVFirmwareVersion
Get the Luna Cloud HSM firmware version. Requires Luna HSM Client 10.1.0 or newer.
CA_GetCVFirmwareVersion(CK_SLOT_ID slotID,
CK_ULONG_PTR fwMajor,
CK_ULONG_PTR fwMinor,
CK_ULONG_PTR fwSubminor);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
| Out | fwMajor |
The major firmware version (X.x.x). |
| fwMinor |
The minor firmware version (x.X.x). |
|
| fwSubminor |
The sub-minor firmware version (x.x.X). |
CA_GetDefaultHSMPolicyValue
Get the default value of the specified HSM policy. Requires minimum Luna HSM Firmware 7.1.0 and Luna HSM Client 7.1.0. See also HSM Capabilities and Policies.
CA_GetDefaultHSMPolicyValue(CK_SLOT_ID slotID,
CK_ULONG ulPolicyId,
CK_ULONG_PTR pulPolicyValue);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
| ulPolicyId |
The ID number of the policy. |
|
| Out | pulPolicyValue |
The current setting for the specified policy. |
CA_GetDefaultPartitionPolicyValue
Get the default value of the specified partition policy. Requires minimum Luna HSM Firmware 7.1.0 and Luna HSM Client 7.1.0. See also Partition Capabilities and Policies.
CA_GetDefaultPartitionPolicyValue(CK_SLOT_ID slotID,
CK_ULONG ulPolicyId,
CK_ULONG_PTR pulPolicyValue);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
| ulPolicyId |
The ID number of the policy. |
|
| Out | pulPolicyValue |
The current setting for the specified policy. |
CA_GetExtendedTPV
Retrieves the token's TPV and extended TPV.
CA_GetExtendedTPV(CK_SLOT_ID slotID,
CK_ULONG_PTR pulTpv,
CK_ULONG_PTR pulTpvExt);
CA_GetFirmwareVersion
Get the currently-installed Luna HSM firmware version.
CA_GetFirmwareVersion(CK_SLOT_ID slotID,
CK_ULONG_PTR fwMajor,
CK_ULONG_PTR fwMinor,
CK_ULONG_PTR fwSubminor);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
| Out | fwMajor |
The major firmware version (X.x.x). |
| fwMinor |
The minor firmware version (x.X.x). |
|
| fwSubminor |
The sub-minor firmware version (x.x.X). |
CA_GetFPV
Retrieves the token's Fixed Policy Vector (FPV).
CA_GetFPV(CK_SLOT_ID slotID,
CK_ULONG_PTR pulFpv);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
| Out | pulFpv |
The token's FPV. |
CA_GetFunctionList
CA_GetFunctionList(CK_SFNT_CA_FUNCTION_LIST_PTR_PTR ppSfntFunctionList);
CA_GetHAState
Get the status of the HA group. This function calls each group member one at a time. Deprecated in Luna HSM Client 10.7.0 and newer; use CA_GetCurrentHAState instead for improved performance.
CA_GetHAState(CK_SLOT_ID slotId,
CK_HA_STATE_PTR pState);
| I/O | Argument | Description |
|---|---|---|
| In | slotId |
The virtual slot number of the HA group. |
| Out | pState |
The reported state of the HA group, as defined by the following structure: typedef struct CK_HA_MEMBER{
CK_CHAR memberSerial[16];
CK_RV memberStatus;
}CK_HA_MEMBER;
typedef struct CK_HA_STATUS{
CK_CHAR groupSerial[16];
CK_HA_MEMBER memberList[32];
CK_ULONG listSize;
}CK_HA_STATUS;
typedef CK_HA_MEMBER CK_POINTER CK_HA_MEMBER_PTR;
typedef CK_HA_STATUS CK_POINTER CK_HA_STATE_PTR;
Returns: >groupSerial: The 16-byte serial number of the HA group. >memberList: Array of information on up to 32 HA member partitions as follows: •memberSerial: The 16-byte serial number of the member partition. •memberStatus: The status of the member. >listSize: The length of the memberList array. |
CA_GetHSMCapabilitySet
Get all HSM capability values. See also HSM Capabilities and Policies.
CA_GetHSMCapabilitySet(CK_SLOT_ID uPhysicalSlot,
CK_ULONG_PTR pulCapIdArray,
CK_ULONG_PTR pulCapIdSize,
CK_ULONG_PTR pulCapValArray,
CK_ULONG_PTR pulCapValSize);
CA_GetHSMCapabilitySetting
Get the specified HSM capability value. See also HSM Capabilities and Policies.
CA_GetHSMCapabilitySetting(CK_SLOT_ID slotID,
CK_ULONG ulPolicyId,
CK_ULONG_PTR pulPolicyValue);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
| ulPolicyId |
The ID number of the capability. |
|
| Out | pulPolicyValue |
The setting for the specified capability. |
CA_GetHSMPolicySet
Get all HSM policy values on the specified HSM slot. See also HSM Capabilities and Policies.
CA_GetHSMPolicySet(CK_SLOT_ID uPhysicalSlot,
CK_ULONG_PTR pulPolicyIdArray,
CK_ULONG_PTR pulPolicyIdSize,
CK_ULONG_PTR pulPolicyValArray,
CK_ULONG_PTR pulPolicyValSize);
CA_GetHSMPolicySetting
Get the value of a specified HSM policy. See also HSM Capabilities and Policies.
CA_GetHSMPolicySetting(CK_SLOT_ID slotID,
CK_ULONG ulPolicyId,
CK_ULONG_PTR pulPolicyValue);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
| Out | ulPolicyId |
The ID number of the policy. |
| pulPolicyValue |
The current setting for the specified policy. |
CA_GetHSMStats
Get HSM usage information such as operational counters.
CA_GetHSMStats(CK_SLOT_ID slotID,
CK_ULONG ulStatsIdsCount,
CK_ULONG_PTR pStatsIds,
HSM_STATS_PARAMS *pStatsParams);
CA_GetHSMStorageInformation
CA_GetHSMStorageInformation(CK_SLOT_ID slotID,
CK_ULONG_PTR pulContainerOverhead,
CK_ULONG_PTR pulTotal,
CK_ULONG_PTR pulUsed,
CK_ULONG_PTR pulFree);
CA_GetKCVLabels
Allows any logged-in role to retrieve the domain labels. See also Universal Cloning and Luna HSM Cloning API CPv4 Extensions to PKCS#11.
Requires minimum Luna HSM Firmware 7.8.0 and Luna HSM Client 10.5.0.
CA_GetKCVLabels(CK_SLOT_ID slotID,
CK_ULONG_PTR ulNumberOfLabels,
CK_ULONG_PTR ulFlags,
CK_ULONG_PTR ulLabelLengths,
CK_BYTE_PTR pLabels);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
| In/Out | ulNumberOfLabels |
A pointer to receive the number of labels. This parameter cannot be NULL. When requesting the number of labels, this parameter must be set to CK_ULONG value that is set to 0 and it will be populated with the number of labels. If a non-zero value is provided, then it must define the size of the |
| ulFlags | ||
| ulLabelLengths |
A pointer to an array to receive the lengths of each label. When retrieving the number of labels, this parameter is ignored. Otherwise, it must be set to an array of |
|
| pLabels |
A pointer to an array of CK_BYTE_PTR. When retrieving the number of labels, this parameter is ignored. Otherwise, it must be set to an array of length |
| Return Code | Hex | Description |
|---|---|---|
| CKR_BUFFER_TOO_SMALL | The non-zero value provided for ulNumberOfLabels is too small. |
CA_GetModuleInfo
CA_GetModuleInfo(CK_SLOT_ID slotId,
CKCA_MODULE_ID moduleId,
CKCA_MODULE_INFO_PTR pInfo);
CA_GetModuleList
CA_GetModuleList(CK_SLOT_ID slotId,
CKCA_MODULE_ID_PTR pList,
CK_ULONG ulListLen,
CK_ULONG_PTR pulReturnedSize);
CA_GetMofNStatus
Get the M of N information for the specified partition.
CA_GetMofNStatus(CK_SLOT_ID slotID,
CA_MOFN_STATUS_PTR pMofNStatus);
CA_GetNumberOfAllowedContainers
Gets the licensed number of partitions on the HSM. See also Upgrading HSM Capabilities and Partition Licenses.
CA_GetNumberOfAllowedContainers(CK_SLOT_ID slot,
CK_ULONG_PTR pulAllowedContainers);
| I/O | Argument | Description |
|---|---|---|
| In | slot |
The slot number of the HSM Admin partition. |
| Out | pulAllowedContainers | The maximum number of partitions that can be created on the HSM, based on the number of licenses installed. |
CA_GetObjectHandle
Get the object handle for the specified OUID.
CA_GetObjectHandle(CK_SLOT_ID slotID,
CK_ULONG ulContainerNum,
CK_BYTE ouid[12],
CK_ULONG_PTR pulObjectType,
CK_ULONG_PTR pulObjectHandle);
CA_GetObjectUID
Get the OUID for the specified object handle.
CA_GetObjectUID(CK_SLOT_ID slotID,
CK_ULONG ulContainerNum,
CK_ULONG ulObjectType,
CK_ULONG ulObjectHandle,
CK_BYTE ouid[12]);
CA_GetPedId
Gets the PED ID.
CA_GetPedId(CK_SLOT_ID slotId,
CK_ULONG *usPedId);
CA_GetPluginModuleInfo
Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_GetPluginModuleInfo(CK_SLOT_ID slotID,
CK_PLUGIN_MODULE_INFO * plugin_info);
CA_GetPrimarySlot
CA_GetPrimarySlot(CK_SESSION_HANDLE hSession,
CK_SLOT_ID_PTR slotId_p);
CA_GetRemotePEDVectorStatus
Get the status of the Remote PED Vector on the HSM; initialized or not initialized.
CA_GetRemotePEDVectorStatus(CK_SLOT_ID slotID,
CK_ULONG_PTR pulStatus);
CA_GetRollbackFirmwareVersion
Get the firmware version currently stored on the HSM, available for rollback. See also Rolling Back the Luna HSM Firmware.
CA_GetRollbackFirmwareVersion(CK_SLOT_ID slotID,
CK_ULONG_PTR pulVersion);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
| Out | pulVersion | The stored previous firmware version available for rollback. |
CA_GetSecondarySlot
CA_GetSecondarySlot(CK_SESSION_HANDLE hSession,
CK_SLOT_ID_PTR slotId_p);
CA_GetServerInstanceBySlotID
Get the instance number in the chrystoki.conf/crystoki.ini file for the Luna Network HSM 7 the specified slot maps to.
CA_GetServerInstanceBySlotID(CK_SLOT_ID slotID,
CK_ULONG_PTR pulInstanceNumber);
CA_GetSessionInfo
Get information about the specified session, including vendor-specific information such as authentication state and the container handle.
CA_GetSessionInfo(CK_SESSION_HANDLE hSession,
CK_ULONG_PTR pulAidHigh,
CK_ULONG_PTR pulAidLow,
CK_ULONG_PTR pulContainerNumber,
CK_ULONG_PTR pulAuthenticationLevel);
CA_GetSessionInfoV2
Get information about the specified session, including vendor-specific information such as authentication state and the container handle. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_GetSessionInfoV2(CK_SESSION_HANDLE hSession,
CK_APPLICATION_ID * pAppID,
CK_ULONG_PTR pulContainerNumber,
CK_ULONG_PTR pulAuthenticationLevel);
CA_GetSlotId
Resolve the ID of the token(s) from the given label. This extension applies to Luna keyrings only (see also Cluster Extensions). Thales requires minimum Luna Appliance Software 7.8.5 with the lnh_cluster-1.0.4 package, Luna HSM Firmware 7.8.4, and Luna HSM Client 10.7.2 to use clusters in production environments.
CA_GetSlotId(CK_UTF8CHAR label[32],
CK_SLOT_ID_PTR pSlotId,
CK_ULONG_PTR pulCount);
| I/O | Argument | Description |
|---|---|---|
| In | label[32] |
The 32-byte label of the token to be resolved. The label must be padded with blank characters and not be null-terminated. |
| pSlotId |
Pointer to the list of ID of the matched token(s). Can be NULL_PTR. |
|
| Out | pulCount |
Number of slotID entries in the buffer. The size of the buffer is number of entries x sizeof(CK_SLOT_ID) If pSlotId is NULL_PTR, the number of slot IDs is returned. If pSlotId is not NULL_PTR, the pointer pulCount contains the size (in terms of CK_SLOT_ID elements) of the buffer pointed to by pSlotId. If that buffer is large enough to hold the lists of slot IDs, then the list is returned in it. The value of the pulCount is set to hold the number of slot IDs. |
| Return Code | Hex | Description |
|---|---|---|
| CKR_OK | 0x0000 | Successful |
| CKR_ARGUMENTS_BAD | 0x0007 | |
| CKR_DEVICE_ERROR | 0x0030 | |
| CKR_BUFFER_TOO_SMALL | 0x0150 | The buffer pointed to by pSlotId is not large enough to hold the list of slot IDs. |
| CKR_CRYPTOKI_NOT_INITIALIZED | 0x0190 |
CA_GetSlotIdForContainer
Get the slot for a given container handle.
CA_GetSlotIdForContainer(CK_ULONG slotID,
CK_ULONG ulContainerNumber,
CK_SLOT_ID_PTR pSlotID);
CA_GetSlotIdForPhysicalSlot
Get the slot for a given physical slot.
CA_GetSlotIdForPhysicalSlot(CK_ULONG physicalSlot,
CK_SLOT_ID_PTR pSlotId);
CA_GetSlotListFromServerInstance
Get the list of slots for the specified appliance/server instance number, as defined in the chrystoki.conf/crystoki.ini file.
CA_GetSlotListFromServerInstance(CK_ULONG instanceNumber,
CK_SLOT_ID_PTR slotList,
CK_ULONG_PTR pulCount);
CA_GetTime
Get the current HSM time.
CA_GetTime(CK_SESSION_HANDLE hSession,
CK_ULONG_PTR pulTime);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| Out | pulTime |
The current HSM time. |
CA_GetTokenCapabilities
Get the capabilities for the specified partition. See also Partition Capabilities and Policies.
CA_GetTokenCapabilities(CK_SLOT_ID ulSlotID,
CK_ULONG_PTR pulCapIdArray,
CK_ULONG_PTR pulCapIdSize,
CK_ULONG_PTR pulCapValArray,
CK_ULONG_PTR pulCapValSize);
CA_GetTokenCertificateInfo
Get the cloning certificate for the specified partition.
CA_GetTokenCertificateInfo(CK_SLOT_ID slotID,
CK_ULONG ulAccessLevel,
CK_BYTE_PTR pCertificate,
CK_ULONG_PTR pulCertificateLen);
CA_GetTokenCertificates
Get a certificate from the source token. Token Wrapping Certificates (TWR) are used for cloning.
CA_GetTokenCertificates(CK_SLOT_ID slotID,
CK_ULONG ulCertType,
CK_BYTE_PTR pCertificate,
CK_ULONG_PTR pulCertificateLen);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
| ulCertType |
Specify cert type TWC3, defined in cryptoki_v2.h as follows: #define CKHSC_CERT_TYPE_TWC3 0x0000000B |
|
| Out | pCertificate |
The TWC certificate, retrieved from the primary member. |
| pulCertificateLen |
The length of the certificate. |
The ulCertType parameter is defined in the cryptoki_v2.h header file as follows:
#define CKHSC_CERT_TYPE_TWC 0x00000009
#define CKHSC_CERT_TYPE_TWC2 0x0000000A
#define CKHSC_CERT_TYPE_TWC3 0x0000000B
CA_GetTokenInsertionCount
Get the insertion or reset count of HSM in the specified slot.
CA_GetTokenInsertionCount(CK_SLOT_ID slotID,
CK_ULONG_PTR pulCount);
CA_GetTokenObjectHandle
Get a partition's object handle, if there is a partition security officer. Same as CA_GetObjectHandle.
CA_GetTokenObjectHandle(CK_SLOT_ID slotID,
CK_BYTE ouid[12],
CK_ULONG_PTR pulObjectType,
CK_ULONG_PTR pulObjectHandle);
CA_GetTokenObjectUID
Get a partition's OUID, if there is a partition security officer. Same as CA_GetObjectUID.
CA_GetTokenObjectUID(CK_SLOT_ID slotID,
CK_ULONG ulObjectType,
CK_ULONG ulObjectHandle,
CK_BYTE ouid[12]);
CA_GetTokenPolicies
Get the policy settings on the partition in the specified slot. See also Partition Capabilities and Policies.
CA_GetTokenPolicies(CK_SLOT_ID ulSlotID,
CK_ULONG_PTR pulPolicyIdArray,
CK_ULONG_PTR pulPolicyIdSize,
CK_ULONG_PTR pulPolicyValArray,
CK_ULONG_PTR pulPolicyValSize);
CA_GetTokenStatus
Get the status of the partition in the specified slot.
CA_GetTokenStatus(CK_SLOT_ID slotID,
CK_ULONG_PTR pulStatusFlags,
CK_ULONG_PTR pulCurSessionCnt,
CK_ULONG_PTR pulCurRdWrSessionCnt);
CA_GetTokenStorageInformation
Get storage information for the partition in the specified slot.
CA_GetTokenStorageInformation(CK_SLOT_ID slotID,
CK_ULONG_PTR pulContainerOverhead,
CK_ULONG_PTR pulTotal,
CK_ULONG_PTR pulUsed,
CK_ULONG_PTR pulFree,
CK_ULONG_PTR pulObjectCount);
CA_GetTPV
Retrieves the token's Token Policy Vector (TPV).
CA_GetTPV(CK_SLOT_ID slotID,
CK_ULONG_PTR pulTpv);
CA_GetTSV
CA_GetTSV(CK_SLOT_ID slotID,
CK_ULONG_PTR pTSV);
CA_GetTunnelSlotNumber
Get the tunnel slot number for a given slot.
CA_GetTunnelSlotNumber(CK_SLOT_ID slotID,
CK_SLOT_ID_PTR pTunnelSlotID);
CA_GetUnassignedSlot
Get the ID of the next unassigned token from the unordered list of created tokens in the system. This extension applies to Luna keyrings only (see also Cluster Extensions). Thales requires minimum Luna Appliance Software 7.8.5 with the lnh_cluster-1.0.4 package, Luna HSM Firmware 7.8.4, and Luna HSM Client 10.7.2 to use clusters in production environments.
The token is considered unassigned when its original label matches the current label. Each token has an associated lock which is intended to be held by an application that is in the process of assigning it. Only the application holding a lock on the token should proceed to assign the token. A slot returned by this call will have its lock set on return. The lock can also be directly manipulated via CA_LockClusteredSlot or CA_UnlockClusteredSlot functions (these operations are thread/process safe). The only time the mutex lock will automatically unset itself is when the application is disconnected before it has a chance to execute the CA_UnlockClusteredSlot function. A token’s lock status must be enforced by the client application as the system will not block any operations based on the lock.
CA_GetUnassignedSlot(const CK_CHAR_PTR clusterID,
CK_UNASSIGNED_SLOT_INFO_PTR pUnassignedSlot);
| I/O | Argument | Description |
|---|---|---|
| In | clusterID |
The cluster OUID. |
| Out | pUnassignedSlot |
CK_UNASSIGNED_SLOT_INFO_PTR is defined as a pointer of the following structure: typedef struct CK_UNASSIGNED_SLOT_INFO {
CK_SLOT_ID slotID;
CK_UTF8CHAR label[32]; /* blank padded */
} CK_UNASSIGNED_SLOT_INFO;
Returns: >slotID: the ID of the unassigned token. >label[32]: the 32-byte label of the unassigned token. It is not null-terminated and is padded with space characters. |
| Return Code | Hex | Description |
|---|---|---|
| CKR_OK | 0x0000 | Successful |
| CKR_FUNCTION_FAILED | 0x0006 | Cannot find any unassigned tokens. |
| CKR_ARGUMENTS_BAD | 0x0007 | |
| CKR_DEVICE_ERROR | 0x0030 | |
| CKR_BUFFER_TOO_SMALL | 0x0150 | |
| CKR_CRYPTOKI_NOT_INITIALIZED | 0x0190 |
CA_GetUnauthTokenInsertionStatus
CA_GetUnauthTokenInsertionStatus(CK_SESSION_HANDLE hSession,
CK_ULONG ulContextHandle,
CK_ULONG *pulMaxUsageCount,
CK_ULONG *pulCurUsageCount);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| ulContextHandle |
describe plz |
|
| *pulMaxUsageCount |
|
|
| *pulCurUsageCount |
|
|
| Out |
CA_GetUserContainerName
CA_GetUserContainerName(CK_SLOT_ID slotID,
CK_BYTE_PTR pName,
CK_ULONG_PTR pulNameLen);
CA_GetUserContainerNumber
CA_GetUserContainerNumber(CK_SLOT_ID slotID,
CK_ULONG_PTR pulContainerNumber);
CA_HAActivateMofN
Perform M of N authentication using the masked M of N secret. The resulting M of N secret is checked against the CRC stored in the MofN PARAM structure.
CA_HAActivateMofN(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pMofNSecretBlob,
CK_ULONG ulMofNSecretBlobLen);
| I/O | Argument | Description |
|---|---|---|
| In | hSession |
The private session handle. |
| pMofNSecretBlob |
Pointer to M of N secret blob that is passed in. |
|
| ulMofNSecretBlobLen |
The length of the M of N secret blob. |
CA_HAAnswerLoginChallenge
Called on the primary member token, this function accepts the login challenge blob and returns the encrypted SO or CO credential, as appropriate.
CA_HAAnswerLoginChallenge(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hLoginPrivateKey,
CK_BYTE_PTR pChallengeBlob,
CK_ULONG ulChallengeBlobLen,
CK_BYTE_PTR pEncryptedPin,
CK_ULONG_PTR pulEncryptedPinLen);
| I/O | Argument | Description |
|---|---|---|
| In | hSession |
The public session handle. |
| hLoginPrivateKey |
The object handle of the login key. |
|
| pChallengeBlob |
Pointer to the buffer holding the encrypted credential challenge blob. |
|
| ulChallengeBlobLen |
The length of the encrypted credential challenge blob. |
|
| Out | pEncryptedPin |
Pointer to the buffer holding the encrypted credential. |
| pulEncryptedPinLen |
Pointer to the value holding the encrypted credential length. |
CA_HAAnswerMofNChallenge
Get the primary token's masked M of N secret. You must supply the M of N challenge blob. This function must be called on the primary HA member.
CA_HAAnswerMofNChallenge(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pMofNBlob,
CK_ULONG ulMofNBlobLen,
CK_BYTE_PTR pMofNSecretBlob,
CK_ULONG_PTR pulMofNSecretBlobLen);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| pMofNBlob |
Pointer to the M of N challenge blob. |
|
| ulMofNBlobLen |
The length of the M of N challenge blob. |
|
| Out | pMofNSecretBlob | Pointer to the buffer to hold the M of N secret blob. |
| pulMofNSecretBlobLen |
Pointer to value that holds the M of N secret blob. |
CA_HAGetLoginChallenge
Called on a non-primary member token, this function accepts the TWC blob and returns the member's login challenge blob.
CA_HAGetLoginChallenge(CK_SESSION_HANDLE hSession,
CK_USER_TYPE userType,
CK_BYTE_PTR pCertificate,
CK_ULONG ulCertificateLen,
CK_BYTE_PTR pChallengeBlob,
CK_ULONG_PTR pulChallengeBlobLen);
| I/O | Argument | Description |
|---|---|---|
| In | hSession |
The public session handle. |
| userType |
The user role on the partition. Valid Values: SO (for Partition Security Officer) or USER (for Crypto Officer) |
|
| pCertificate |
The Token Wrapping Certificate (TWC). |
|
| ulCertificateLen |
The TWC certificate length. |
|
| Out | pChallengeBlob |
Pointer to the buffer holding the encrypted credential challenge blob. |
| pulChallengeBlobLen |
Pointer to the value to hold the challenge blob length. |
CA_HAGetMasterPublic
Called on the primary token, this function retrieves the primary token's Token Wrapping Certificate (TWC) and returns it as a blob (octet string and length).
CA_HAGetMasterPublic(CK_SLOT_ID slotId,
CK_BYTE_PTR pCertificate,
CK_ULONG_PTR pulCertificate);
| I/O | Argument | Description |
|---|---|---|
| In | slotId |
The slot number. |
| Out | pCertificate |
Pointer to the TWC certificate string. |
| pulCertificate |
Pointer to the value to hold the TWC certificate length. |
CA_HAGetMasterPublic_V1_1
Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_HAGetMasterPublic_V1_1(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pMasterPublicData,
CK_ULONG_PTR pulMasterPublicDataLen);
CA_HAGetMasterPublicData
Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_HAGetMasterPublicData(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hLoginPrivateKey,
CK_BYTE_PTR pMasterPublicData,
CK_ULONG_PTR pulMasterPublicDataLen);
CA_HAInit
Initialize a token in an HA environment. This function requires an RSA private key that has been cloned to all members in the environment.
CA_HAInit(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hLoginPrivateKey);
| I/O | Input | Description |
|---|---|---|
| In | hSession |
The session handle, logged-in by the user who owns the login key. |
| hLoginPrivateKey |
The object handle of the login key. |
CA_HAInitExtended
Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_HAInitExtended(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hLoginPrivateKey,
CK_BYTE_PTR pLoginPrivateKeyPKC,
CK_ULONG ulLoginPrivateKeyPKCLen,
CK_ULONG_PTR pulUserTypes,
CK_ULONG_PTR pulTokenTypes,
CK_ULONG ulNumberOfRole);
CA_HALogin
Called on a non-primary member token, this function accepts the encrypted credential and logs the token in. If the token requires M of N authentication, an M of N challenge blob is returned.
CA_HALogin(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pEncryptedPin,
CK_ULONG ulEncryptedPinLen,
CK_BYTE_PTR pMofNBlob,
CK_ULONG_PTR pulMofNBlobLen);
| I/O | Input | Description |
|---|---|---|
| In | hSession |
The public session handle. |
| pEncryptedPin |
Pointer to the buffer holding the encrypted credential. |
|
| ulEncryptedPinLen |
Length of the encrypted credential. |
|
| Out | pMofNBlob |
Pointer to the buffer to hold the M of N blob. If no M of N authentication is required, a zero-length blob is returned. |
| pulMofNBlobLen |
Pointer to the value to hold the length of the M of N blob. |
CA_IncrementFailedAuthCount
Increment the CKA_FAILED_KEY_AUTH_COUNT for a key. This function is used to keep members of an HA group in sync. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_IncrementFailedAuthCount(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject);
| I/O | Input | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| hObject |
The object handle. |
CA_IndirectLogin
Performs an indirect login operation.
CA_IndirectLogin(CK_SESSION_HANDLE hSession,
CK_USER_TYPE userType,
CK_SESSION_HANDLE hPrimarySession);
CA_InitAudit
Initialize the Auditor role on the HSM. See also Configuring Audit Logging.
CA_InitAudit(CK_SLOT_ID slotID,
CK_CHAR_PTR pPin,
CK_ULONG usPinLen,
CK_CHAR_PTR pLabel);
CA_InitializeRemotePEDVector
Initialize the Remote PED Vector (RPV) on the HSM. See also Initializing the Remote PED Vector and Creating an Orange Remote PED key.
CA_InitializeRemotePEDVector(CK_SESSION_HANDLE hSession);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
CA_InitIndirectPIN
Initialize a user PIN so that it may be used normally or indirectly.
CA_InitIndirectPIN(CK_SESSION_HANDLE hSession,
CK_CHAR_PTR pPin,
CK_ULONG usPinLen,
CK_SESSION_HANDLE hPrimarySession);
CA_InitIndirectToken
CA_InitIndirectToken(CK_SLOT_ID slotID,
CK_CHAR_PTR pPin,
CK_ULONG usPinLen,
CK_CHAR_PTR pLabel,
CK_SESSION_HANDLE hPrimarySession);
CA_InitRolePIN
Initialize a role on the partition in the current slot.
CA_InitRolePIN(CK_SESSION_HANDLE hSession,
CK_USER_TYPE userType,
CK_CHAR_PTR pPin,
CK_ULONG usPinLen);
CA_InitSlotRolePIN
Initialize a role on the partition on a different, specified slot.
CA_InitSlotRolePIN(CK_SESSION_HANDLE hSession,
CK_SLOT_ID slotID,
CK_USER_TYPE userType,
CK_CHAR_PTR pPin,
CK_ULONG usPinLen);
CA_InitToken
Initialize a partition using a policy template. Requires minimum Luna HSM Firmware 7.1.0 and Luna HSM Client 7.1.0. See also Setting Partition Policies Using a Template.
Using Luna HSM Client 10.5.0 or newer:
CA_InitToken(CK_SLOT_ID slotID,
CK_CHAR_PTR pPin,
CK_ULONG usPinLen,
CK_CHAR_PTR pLabel,
CK_BYTE_PTR pDomain,
CK_ULONG ulDomainLen,
CK_BYTE_PTR pDomainId,
CK_ULONG ulDomainIdLen,
CK_ULONG ulPolicyCount,
CK_POLICY_INFO_PTR pPolicyData,
CK_ULONG ulHSMPolicyCount,
CK_POLICY_INFO_PTR pHSMPolicyData);
Using Luna HSM Client 10.4.1 or older:
CA_InitToken(CK_SLOT_ID slotID,
CK_CHAR_PTR pPin,
CK_ULONG usPinLen,
CK_CHAR_PTR pLabel,
CK_BYTE_PTR pDomain,
CK_ULONG ulDomainLen,
CK_ULONG ulPolicyCount,
CK_POLICY_INFO_PTR pPolicyData,
CK_ULONG ulHSMPolicyCount,
CK_POLICY_INFO_PTR pHSMPolicyData);
CA_InitTokenIPD
Requires Luna HSM Client 10.4.1 or newer.
Using Luna HSM Client 10.5.0 or newer:
CA_InitTokenIPD(CK_SLOT_ID slotID,
CK_CHAR_PTR pPin,
CK_ULONG usPinLen,
CK_CHAR_PTR pLabel,
CK_BYTE_PTR pDomain,
CK_ULONG ulDomainLen,
CK_BYTE_PTR pDomainId,
CK_ULONG ulDomainIdLen,
CK_ULONG ulPolicyCount,
CK_POLICY_INFO_PTR pPolicyData,
CK_ULONG ulHSMPolicyCount,
CK_POLICY_INFO_PTR pHSMPolicyData);
Using Luna HSM Client 10.4.1:
CA_InitTokenIPD(CK_SLOT_ID slotID,
CK_CHAR_PTR pPin,
CK_ULONG usPinLen,
CK_CHAR_PTR pLabel,
CK_BYTE_PTR pDomain,
CK_ULONG ulDomainLen,
CK_ULONG ulPolicyCount,
CK_POLICY_INFO_PTR pPolicyData,
CK_ULONG ulHSMPolicyCount,
CK_POLICY_INFO_PTR pHSMPolicyData);
CA_InitTokenWithAType
Requires Luna HSM Client 10.1.0 or newer.
Using Luna HSM Client 10.5.0 or newer:
CA_InitTokenWithAType(CK_ULONG uAuthenticationType,
CK_SLOT_ID slotID,
CK_CHAR_PTR pPin,
CK_ULONG usPinLen,
CK_CHAR_PTR pLabel,
CK_BYTE_PTR pDomain,
CK_ULONG ulDomainLen,
CK_BYTE_PTR pDomainId,
CK_ULONG ulDomainIdLen,
CK_ULONG ulPolicyCount,
CK_POLICY_INFO_PTR pPolicyData,
CK_ULONG ulHSMPolicyCount,
CK_POLICY_INFO_PTR pHSMPolicyData);
Using Luna HSM Client 10.4.1 or older:
CA_InitTokenWithAType(CK_ULONG uAuthenticationType,
CK_SLOT_ID slotID,
CK_CHAR_PTR pPin,
CK_ULONG usPinLen,
CK_CHAR_PTR pLabel,
CK_BYTE_PTR pDomain,
CK_ULONG ulDomainLen,
CK_ULONG ulPolicyCount,
CK_POLICY_INFO_PTR pPolicyData,
CK_ULONG ulHSMPolicyCount,
CK_POLICY_INFO_PTR pHSMPolicyData);
CA_Insert
This API inserts objects, or internal CPS, using the specified session id. The API functionality is defined by a mechanism and a mechanism parameter which allows for any functionality to be defined on a per-mechanism basis. This makes it ideal for the CPv4 extract/insert operations and is consistent with the PKCS#11 API. Requires minimum Luna HSM Firmware 7.8.0 and Luna HSM Client 10.5.0.
CA_Insert(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| In/Out | pMechanism |
Specify CKM_CPV4_INSERT (0x80000209) for CPv4 insert operations. It takes a parameter, CK_CPV4_INSERT_PARAMS (see below). |
The parameter CK_CPV4_INSERT_PARAMS is structured as follows:
CK_CPV4_INSERT_PARAMS {
CK_ULONG_PTR sessionIdLength;
CK_BYTE sessionId;
CK_ULONG insertionFlags;
CK_ULONG numberOfObjects;
CK_ULONG_PTR storageType;
CK_ULONG_PTR objectType;
CK_ULONG_PTR keyBlobLength;
CK_BYTE_PTR_PTR keyBlob;
CK_RV_PTR result;
CK_ULONG_PTR objectHandle;
}
| I/O | Argument | Description |
|---|---|---|
| In | sessionIdLength |
The length of the session ID. |
| sessionId |
The identifier for the session to be used to insert the key blob(s). |
|
| insertionFlags |
Flags used to define how errors are handled during insertion. The default value is 0, which is to return on the first error. The following flag is accepted: >CKF_CONTINUE_ON_ERR (0x01): If specified, the API continues attempting to insert objects if an individual object fails. If the flag is not specified, the API fails after the first failure is encountered. |
|
| numberOfObjects |
Number of objects to be inserted |
|
| storageType |
An array of storage type identifiers used to define how the object should be inserted. |
|
| objectType |
An array of object types to define the type of objects pointed to by the array of object handles. Possible values are CK_CRYPTOKI_ELEMENT and CK_PARAM_ELEMENT. |
|
| keyBlobLength |
An array of length fields that correspond to the array of memory buffers pointed by “keyBlobs”. This value and the value pointed to by each array cannot be NULL. |
|
| keyBlob |
An array of the memory buffers that contain key blob. This value and each array element cannot be NULL. |
|
| Out | result |
An array of result codes defining the result of each object insertion. This field should be initialized to CKR_CLONE_NOT_ATTEMPTED for all objects. If an error is encountered trying to insert an object, then that error is set in the result field that corresponds to that object. Callers of this API should verify the |
| objectHandle |
An array of object handles, to receive the object handle for the inserted objects. |
For information on error codes, see CPv4 PKCS#11 Error Code Summary.
CA_InsertMaskedObject
CA_InsertMaskedObject(CK_SESSION_HANDLE hSession,
CK_ULONG_PTR pulObjectHandle,
CK_BYTE_PTR pMaskedKey,
CK_ULONG usMaskedKeyLen);
CA_InvokeService
CA_InvokeService(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pBufferIn,
CK_ULONG ulBufferInLength,
CK_ULONG_PTR pulBufferOutLength);
CA_InvokeServiceAsynch
CA_InvokeServiceAsynch(CK_SESSION_HANDLE hSession,
CK_ULONG ulPortNumber,
CK_BYTE_PTR pBufferIn,
CK_ULONG ulBufferInLength);
CA_InvokeServiceFinal
CA_InvokeServiceFinal(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pBufferOut,
CK_ULONG_PTR pulBufferOutLength);
CA_InvokeServiceInit
CA_InvokeServiceInit(CK_SESSION_HANDLE hSession,
CK_ULONG ulPortNumber);
CA_InvokeServiceUnit
CA_InvokeServiceSinglePart(CK_SESSION_HANDLE hSession,
CK_ULONG ulPortNumber,
CK_BYTE_PTR pBufferIn,
CK_ULONG ulBufferInLength,
CK_BYTE_PTR pBufferOut,
CK_ULONG_PTR pulBufferOutLength);
CA_IsPluginDevice
Requires Luna HSM Client 10.1.0 or newer.
CA_IsPluginDevice(CK_SLOT_ID slotID,
CK_BBOOL * plugin);
CA_LoadEncryptedModule
CA_LoadEncryptedModule(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hKey,
CK_BYTE_PTR pIv,
CK_ULONG ulIvLen,
CK_BYTE_PTR pModuleCode,
CK_ULONG ulModuleCodeSize,
CK_BYTE_PTR pModuleSignature,
CK_ULONG ulModuleSignatureSize,
CK_BYTE_PTR pCertificate,
CK_ULONG ulCertificateSize,
CKCA_MODULE_ID_PTR pModuleId);
CA_LoadModule
CA_LoadModule(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pModuleCode,
CK_ULONG ulModuleCodeSize,
CK_BYTE_PTR pModuleSignature,
CK_ULONG ulModuleSignatureSize,
CK_BYTE_PTR pCertificate,
CK_ULONG ulCertificateSize,
CK_BYTE_PTR pControlData,
CK_ULONG ulControlDataSize,
CKCA_MODULE_ID_PTR pModuleId);
CA_LockClusteredSlot
Lock the specified keyring. This extension applies to Luna keyrings only (see also Cluster Extensions). Thales requires minimum Luna Appliance Software 7.8.5 with the lnh_cluster-1.0.4 package, Luna HSM Firmware 7.8.4, and Luna HSM Client 10.7.2 to use clusters in production environments.
CA_LockClusteredSlot(CK_SLOT_ID slotId);
| I/O | Argument | Description |
|---|---|---|
| In | slotId |
The slot number. |
| Return Code | Hex | Description |
|---|---|---|
| CKR_OK | 0x0000 | Successful |
| CKR_SLOT_ID_INVALID | 0x0003 | |
| CKR_DEVICE_ERROR | 0x0030 |
CA_LogExportSecret
Export the audit log HMAC key. See also Exporting the Audit Logging Secret and Importing to a Verifying HSM.
CA_LogExportSecret(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pStr,
CK_ULONG_PTR pStrSize);
CA_LogExternal
Push an application-provided message to the HSM and enters it in the audit log.
CA_LogExternal(CK_SLOT_ID slotID,
CK_SESSION_HANDLE hSession,
const CK_CHAR *pStr,
CK_ULONG ulLen);
CA_LogGetConfig
Get the audit log configuration. See also
CA_LogGetConfig(CK_SESSION_HANDLE hSession,
CK_ULONG *mask,
CK_ULONG *logRotateOffset,
CK_ULONG *logRotateInterval,
CK_ULONG *maxLogSize,
CK_BYTE_PTR pLogPath);
CA_LogGetStatus
Get the audit log status (audit role, logs needing export, HSM to PedClient communication status).
CA_LogGetStatus(CK_SLOT_ID slotId,
CK_ULONG *auditInitStatus,
CK_ULONG *lastPollResult,
CK_ULONG *lastSetConfigResult,
CK_ULONG *isConfigInParamArea,
CK_ULONG *numRecordsInFlash);
CA_LogImportSecret
Import an audit log HMAC key. See also Exporting the Audit Logging Secret and Importing to a Verifying HSM.
CA_LogImportSecret(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pStr,
CK_ULONG strSize);
CA_LogoutOther
Requires Luna HSM Client 10.5.1 or newer.
CA_LogoutOther(CK_SESSION_HANDLE hSession,
CK_USER_TYPE userType);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| Out | userType |
The user role on the partition. |
CA_LogSetConfig
Modify the audit log configuration. See also Configuring Audit Logging.
CA_LogSetConfig(CK_SESSION_HANDLE hSession,
CK_ULONG mask,
CK_ULONG logRotateOffset,
CK_ULONG logRotateInterval,
CK_ULONG maxLogSize,
CK_BYTE_PTR pLogPath);
CA_LogVerify
Verify the audit log records. See also
CA_LogVerify(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pLogMsgs,
CK_ULONG ulMsgCount,
CK_ULONG bChainToHSM,
CK_ULONG_PTR pulNumVerified);
CA_LogVerifyFile
Verify the audit log record file. See also
CA_LogVerifyFile(CK_SESSION_HANDLE hSession,
CK_CHAR_PTR pFileName,
CK_ULONG_PTR ulNumVerified);
CA_ManualKCV
Set the cloning domain (key cloning vector) on the partition.
CA_ManualKCV(CK_SESSION_HANDLE hSession);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
CA_MdPriv_Initialize
Requires minimum Luna HSM Firmware 7.4.0 and Luna HSM Client 7.4.0.
CA_MdPriv_Initialize(void *pMdPrivIf,
unsigned int len,
void *pLogIf);
CA_MigrateKeys
This API clones one-or-more objects from a source session to a target session. The API can clone user objects (a.k.a. CryptokiObjects) or parameters like the SMK (a.k.a. ParamObjects). The API also supports a “flags” field to alter/change the behavior of the API when errors are encountered.
In addition to implementing CPv4, the top level API takes on the behavior that allows it to use existing key migration methods.
CA_MigrateKeys(CK_SESSION_HANDLE sourceSession,
CK_SESSION_HANDLE targetSession,
CK_ULONG migrationFlags,
CK_ULONG numberOfObjects,
CK_OBJECT_MIGRATION_DATA_PTR migrationData);
| I/O | Argument | Description |
|---|---|---|
| In | sourceSession | An authenticated session on the source partition. |
| targetSession | An authenticated session on the target partition. | |
| migrationFlags |
Flags used to define the behavior of the migration protocol. The following flag is accepted: >CKF_CONTINUE_ON_ERR (0x01): If specified, the API continues attempting to clone objects if an individual object fails to clone. If the flag is not specified, the API fails after the first failure is encountered. |
|
| numberOfObjects | The number of objects to migrate. Implicitly defines the size of the array pointed to by “migrationData”. This parameter cannot be 0. | |
| In/Out | migrationData |
An array of CK_MIGRATION_DATA objects whose length is defined by “numberOfObjects”. This parameter cannot be NULL. The array is defined by the following structure: typedef struct CK_OBJECT_MIGRATION_DATA ( CK_ULONG objectType; CK_OBJECT_HANDLE sourceHandle; CK_OBJECT_HANDLE targetHandle; CK_RV rv } CK_OBJECT_MIGRATION_DATA; Fields: >objectType: used to specify if the object is a CryptokiObject or a ParamObject. >sourceHandle: the handle of the object to be cloned. >targetHandle: the handle of the object after it has been cloned to the target device. >rv: the result of the clone operation for this specific object. This field is initialized to CKR_CLONE_NOT_ATTEMPTED for every object. If an object fails to clone, then the |
If an individual object fails to clone, CA_MigrateKeys returns CKR_OK. If an error is encountered in the core logic of CA_MigrateKeys, then the error code for that event is returned by the API, and the value of rv remains CKR_CLONE_NOT_ATTEMPTED for all objects that were not attempted to be cloned.
For information on error codes, see CPv4 PKCS#11 Error Code Summary.
CA_MigrationCloseSession
This API terminates a session. When it is called, the session key and all of its context/state is deleted. If the session key does not exist, no error is returned. This is because some implementations might proactively clean up sessions that have expired, so it is expected that by the time this API is called, the session might no longer exist. In this case, CKR_SESSION_ID_INVALID is returned.
CA_MigrationCloseSession(CK_SESSION_HANDLE hSession,
CK_ULONG sessionUidLen,
CK_BYTE_PTR sessionUid);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| sessionUidLen |
The length of the session ID. |
|
| sessionUid |
The identifier for the session to be closed. |
CA_MigrationContinueSessionNegotiation
This is called to continue the negotiation; when it is first called on the second HSM, it technically starts the negotiation there. As the API is called from one HSM to the next, all of the output values are passed to the “other” HSM as input values.
The first call to CA_MigrationContinueSessionNegotiation invokes a session ID for the session being negotiation. All following calls to this API are required to pass in the same session ID.
When the negotiation is complete, status=2 is returned. The content of the output values must be passed in to the other HSM as input to the first call to either CA_Extract or CA_Insert to complete the negotiation on the other HSM.
CA_MigrationContinueSessionNegotiation(CK_SESSION_HANDLE hSession,
CK_ULONG inputStep,
CK_ULONG inputLength,
CK_BYTE_PTR input,
CK_ULONG sessionUidInputLen,
CK_BYTE_PTR sessionUidInput,
CK_ULONG_PTR outputStep,
CK_ULONG_PTR outputLength,
CK_BYTE_PTR output,
CK_ULONG_PTR status,
CK_ULONG_PTR sessionUidOutputLen,
CK_BYTE_PTR sessionUidOutput);
| I/O | Argument | Description |
|---|---|---|
| In | hSession |
The authenticated session on the partition on the source or target HSM, depending on which step of the protocol is being implemented. |
| inputStep |
The step identifier used by the HSM to identify the content of the |
|
| inputLength |
The length of the buffer pointed to by |
|
| input |
A memory buffer of size |
|
| sessionUidInputLen |
Defines the length of the memory buffer pointed to by |
|
| sessionUidInput |
The Identifier for the session used to extract/insert key blobs. During a negotiation phase, the first time this API is called, this length+value pair can be NULL and zero. For all following calls to this API, the value returned via the sessionUidOutput and sessionUidOutputLength parameters should be passed in via this length+value pair. |
|
| Out | outputStep |
The step identifier used by the HSM to identify the content of the |
| In/Out | outputLength |
Defines the length of the memory buffer pointed to by |
| Out | output |
A pointer to a memory buffer of size |
| status | The status of the negotiation. This field is set to either 1 (MORE) or 2 (DONE), which indicates if CA_MigrationContinueSessionNegotiation needs to be called again on the other member. | |
| sessionUidOutputLen |
Defines the length of the memory buffer pointed to by |
|
| sessionUidOutput |
The Identifier for the session used to extract/insert key blobs. If this parameter is not NULL, then this buffer receives the session identifier for the session being negotiated. |
This API can return more than one piece of output data. Simplify the application and the API implementation, when querying the required buffer size, by providing a NULL pointer; all possible output fields must be queried at the same time.
For information on error codes, see CPv4 PKCS#11 Error Code Summary.
CA_MigrationStartSessionNegotiation
This API starts a session key negotiation with a partition on the source or target HSM.
CA_MigrationStartSessionNegotiation(CK_SESSION_HANDLE hSession,
CK_ULONG inputLength,
CK_BYTE_PTR input,
CK_ULONG_PTR step,
CK_ULONG_PTR outputLength,
CK_BYTE_PTR output);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| inputLength |
The length of the buffer pointed to by “input”. Using CPv4, this value must be 0, but the APIs and library support passing this value to the HSM. If this value is not zero, a valid memory buffer must be pointed to by “input”. |
|
| input |
This parameter is not currently used and is defined for future use. A memory buffer of size “inputLength”. Using CPv4, this value must be NULL, but the APIs and library support passing this value to the HSM. If “inputLength” is not zero, this pointer must point to a valid memory buffer. |
|
| Out | step |
A “step” identifier used by the HSM to identify the step of the protocol being returned by the specific call to this API. The value is used by the HSM to identify the content of the opaque blob referred to by “output”. |
| In/Out | outputLength |
Defines the length of the memory buffer pointed to by “output”. This parameter cannot be NULL. If “output” is NULL, this parameter is updated with the size of the memory buffer required. |
| Out | output |
A pointer to a memory buffer of size “outputLength”. This pointer can be set to NULL to request the length of the required buffer. |
For information on error codes, see CPv4 PKCS#11 Error Code Summary.
CA_ModifyMofN
Modify the M of N secret splitting vector on a token.
CA_ModifyMofN(CK_SESSION_HANDLE hSession,
CK_ULONG ulM,
CA_MOFN_GENERATION_PTR pVectors,
CK_ULONG ulVectorCount,
CK_ULONG isSecurePortUsed,
CK_VOID_PTR pReserved);
CA_MTKModifyUsageCount
Modify the usage count on a key object.
CA_ModifyUsageCount(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject,
CK_ULONG ulCommandType,
CK_ULONG ulValue);
CA_MTKResplit
Generate a new MTK split and set a new purple PED key value.
CA_MTKResplit(CK_SLOT_ID slotID);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
CA_MTKRestore
Return the MTK. You must provide the purple key to recover from tamper.
CA_MTKRestore(CK_SLOT_ID slotID);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
CA_MTKSetStorage
Create purple key, enable STM/SRK.
CA_MTKSetStorage(CK_SESSION_HANDLE ulSessionNumber,
CK_ULONG ulStorageSetting);
CA_MTKZeroize
Erase the MTK, user invoked tamper. Put HSM into Secure Transport Mode.
CA_MTKZeroize(CK_SLOT_ID slotID);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
CA_MultisignValue
CA_MultisignValue(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_ULONG ulMaskedKeyLen,
CK_BYTE_PTR pMaskedKey,
CK_ULONG_PTR pulBlobCount,
CK_ULONG_PTR pulBlobLens,
CK_BYTE_PTR CK_PTR ppBlobs,
CK_ULONG_PTR pulSignatureLens,
CK_BYTE_PTR CK_PTR ppSignatures);
CA_OpenApplicationID
Activate an application identifier, independent of any open sessions. This function is deprecated in Luna HSM Firmware 7.7.0 and newer. Use CA_OpenApplicationIDV2 instead.
CA_OpenApplicationID(CK_SLOT_ID slotID,
CK_ULONG ulHigh,
CK_ULONG ulLow);
CA_OpenApplicationIDForContainer
Activate an application identifier for a specified partition, independent of any open sessions.This function is deprecated in Luna HSM Firmware 7.7.0 and newer. Use CA_OpenApplicationIDForContainerV2 instead.
CA_OpenApplicationIDForContainer(CK_SLOT_ID slotID,
CK_ULONG ulHigh,
CK_ULONG ulLow,
CK_ULONG ulContainerNumber);
CA_OpenApplicationIDForContainerV2
Activate an application identifier for a specified partition, independent of any open sessions.Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0. For older firmware/client versions, use CA_OpenApplicationIDForContainer.
CA_OpenApplicationIDForContainerV2(CK_SLOT_ID slotID,
const CK_APPLICATION_ID * pAppId,
CK_ULONG ulContainerNumber);
CA_OpenApplicationIDV2
Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0. For older firmware/client versions, use CA_OpenApplicationID.
CA_OpenApplicationIDV2(CK_SLOT_ID slotID,
const CK_APPLICATION_ID * pAppId);
CA_OpenSession
Open a session on the specified partition.
CA_OpenSession(CK_SLOT_ID slotID,
CK_ULONG ulContainerNumber,
CK_FLAGS flags,
CK_VOID_PTR pApplication,
CK_NOTIFY Notify,
CK_SESSION_HANDLE_PTR phSession);
CA_OpenSessionWithAppID
Open a session on the specified partition, using the specified AppID. This function is deprecated in Luna HSM Firmware 7.7.0 and newer. Instead, use CA_OpenSessionWithAppIDV2.
CA_OpenSessionWithAppID(CK_SLOT_ID slotID,
CK_FLAGS flags,
CK_ULONG ulHigh,
CK_ULONG ulLow,
CK_VOID_PTR pApplication,
CK_NOTIFY Notify,
CK_SESSION_HANDLE_PTR phSession);
CA_OpenSessionWithAppIDV2
Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_OpenSessionWithAppIDV2(CK_SLOT_ID slotID,
CK_FLAGS flags,
const CK_APPLICATION_ID * pAppId,
CK_VOID_PTR pApplication,
CK_NOTIFY Notify,
CK_SESSION_HANDLE_PTR phSession);
CA_PerformModuleCall
CA_PerformModuleCall(CK_SESSION_HANDLE hSession,
CKCA_MODULE_ID moduleId,
CK_BYTE_PTR pRequest,
CK_ULONG ulRequestSize,
CK_BYTE_PTR pAnswer,
CK_ULONG ulAnswerSize,
CK_ULONG_PTR pulAnswerAvailable);
CA_PerformSelfTest
Perform a self-test on the HSM of RNG statistics and cryptographic algorithms.
CA_PerformSelfTest(CK_SLOT_ID slotID,
CK_ULONG typeOfTest,
CK_BYTE_PTR inputData,
CK_ULONG sizeOfInputData,
CK_BYTE_PTR outputData,
CK_ULONG_PTR sizeOfOutputData);
CA_Put
Requires minimum Luna HSM Firmware 7.4.0 and Luna HSM Client 7.4.0.
CA_Put(CK_SLOT_ID slotID,
CK_SESSION_HANDLE hSession,
CK_ULONG ulParamId,
CK_ULONG ulParamSize,
CK_BYTE_PTR pParamBuffer);
CA_QueryLicense
Get information about licenses and capability upgrades on the HSM. See also Upgrading HSM Capabilities and Partition Licenses.
CA_QueryLicense(CK_SLOT_ID slotID,
CK_ULONG licenseIdLow,
CK_ULONG licenseIdHigh,
CK_ULONG_PTR pulLicenseType,
CK_ULONG_PTR pulDescVersion,
CK_ULONG_PTR pulDescSize,
CK_BYTE_PTR pbDescBuffer);
CA_RandomizeApplicationID
Set an application accessID to a random value. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_RandomizeApplicationID(void );
CA_ReadAllUtilizationCounters
Requires minimum Luna HSM Firmware 7.3.0 and Luna HSM Client 7.3.0.
CA_ReadAllUtilizationCounters(CK_SESSION_HANDLE hSession,
CK_UTILIZATION_COUNTER_PTR buff,
CK_ULONG_PTR length);
CA_ReadAndResetUtilizationMetrics
Requires minimum Luna HSM Firmware 7.3.0 and Luna HSM Client 7.3.0.
CA_ReadAndResetUtilizationMetrics(CK_SESSION_HANDLE hSession);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
CA_ReadCommonStore
CA_ReadCommonStore(CK_ULONG index,
CK_BYTE_PTR pBuffer,
CK_ULONG_PTR pulBufferSize);
CA_ReadUtilizationCount
Requires minimum Luna HSM Firmware 7.3.0 and Luna HSM Client 7.3.0.
CA_ReadUtilizationCount(CK_SESSION_HANDLE hSession,
CK_ULONGLONG serialNum,
CK_ULONG ulBinId,
CK_ULONG ulCounterId,
CK_UTILIZATION_COUNT_PTR pCount);
CA_ReadUtilizationMetrics
Requires minimum Luna HSM Firmware 7.3.0 and Luna HSM Client 7.3.0.
CA_ReadUtilizationMetrics(CK_SESSION_HANDLE hSession);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
CA_ReplaceFastPathKEK
CA_ReplaceFastPathKEK(CK_SESSION_HANDLE hSession);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
CA_ResetAuthorizationData
Reset the authorization data for a key. This function is available to the CO role only, and only for the unassigned keys. This function also resets the authorization failure count (CKA_FAILED_KEY_AUTH_COUNT) for a locked-out key and unlocks it. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_ResetAuthorizationData(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject,
CK_UTF8CHAR_PTR pAuthData,
CK_ULONG ulAuthDataLen);
| I/O | Input | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| hObject |
The object handle. |
|
| pAuthData |
The user's authentication data. |
|
| ulAuthDataLen |
The length of the authentication data. |
| Return Code | Hex | Description |
|---|---|---|
| CKR_AUTH_DATA_TOO_LARGE | ||
| CKR_AUTH_DATA_TOO_SMALL |
CA_ResetDevice
Resets the HSM. See also
CA_ResetDevice(CK_SLOT_ID slotId,
CK_FLAGS flags);
CA_ResetPIN
Allow the Partition SO to reset the Crypto Officer credential if that role has been locked out. HSM policy 15: SO can reset partition PIN must be set to 1. See also Resetting the Crypto Officer, Limited Crypto Officer, or Crypto User Credential.
CA_ResetPIN(CK_SESSION_HANDLE hSession,
CK_CHAR_PTR pPin,
CK_ULONG usPinLen);
CA_Restart
Clean up all sessions on the specified slot.
CA_Restart(CK_SLOT_ID slotID);
| I/O | Argument | Description |
|---|---|---|
| Input | slotID |
The slot number. |
CA_RestartForContainer
Clean up all sessions for a specified partition.
CA_RestartForContainer(CK_SLOT_ID slotID,
CK_ULONG ulContainerNumber);
CA_RetrieveLicenseList
Get a list of all HSM licenses and capabilities.
CA_RetrieveLicenseList(CK_SLOT_ID slotID,
CK_ULONG_PTR pulidArraySize,
CK_ULONG_PTR pulidArray);
CA_RoleStateGet
Get the state of a specified role (initialized, activated, failed logins, challenge created, etc) on a specified slot.
CA_RoleStateGet(CK_SLOT_ID slotID,
CK_USER_TYPE userType,
CA_ROLE_STATE *pRoleState);
CA_RoleStateGetExtended
Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_RoleStateGetExtended(CK_SLOT_ID slotID,
CK_USER_TYPE userType,
CA_ROLE_STATE_EXT_PTR pRoleState);
CA_SessionCancel
Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_SessionCancel(CK_SESSION_HANDLE hSession,
CK_FLAGS flags);
CA_SetApplicationID
Set the application's identifier. This function is deprecated in Luna HSM Firmware 7.7.0 and newer. Use CA_SetApplicationIDV2 instead.
CA_SetApplicationID(CK_ULONG ulHigh,
CK_ULONG ulLow);
CA_SetApplicationIDV2
Set the application's identifier. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0. For older firmware/client versions, use CA_SetApplicationID.
CA_SetApplicationIDV2(const CK_APPLICATION_ID * pAppId);
CA_SetAuthorizationData
Modify the authorization data for a key. This function is available to all the roles without explicit requirement to have been authorized first with CA_AuthorizeKey, since the call itself takes in the current authorization data as a parameter. Old (current) auth data is an optional parameter. This case appears to the end-user as though they are setting the per-key auth of an imported key for the first time. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_SetAuthorizationData(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject,
CK_UTF8CHAR_PTR pOldAuthData,
CK_ULONG ulOldAuthDataLen,
CK_UTF8CHAR_PTR pNewAuthData,
CK_ULONG ulNewAuthDataLen);
| I/O | Input | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| hObject |
The object handle. |
|
| pOldAuthData |
The user's old/current authentication data. Optional. If not provided, this data is filled in by the library to the “Luna” value to accommodate the case of keys imported through the migration scenarios in section (which will have their auth data set initially from the access, hence “Luna” as well). |
|
| ulOldAuthDataLen | The length of the old/current authentication data. Optional (see pOldAuthData above). | |
| pNewAuthData | The user's new authentication data. | |
| ulNewAuthDataLen | The length of the new authentication data. |
| Return Code | Hex | Description |
|---|---|---|
| CKR_AUTH_DATA_TOO_LARGE | ||
| CKR_AUTH_DATA_TOO_SMALL |
CA_SetCloningDomain
Set the domain string used during token initialization.
CA_SetCloningDomain(CK_BYTE_PTR pCloningDomainString,
CK_ULONG ulCloningDomainStringLen);
CA_SetContainerPolicies
Set multiple partition policies simultaneously on the specified partition. See also Setting Partition Policies Manually.
CA_SetContainerPolicies(CK_SESSION_HANDLE hSession,
CK_ULONG ulContainer,
CK_ULONG ulPolicyCount,
CK_ULONG_PTR pulPolicyIdArray,
CK_ULONG_PTR pulPolicyValueArray);
CA_SetContainerPolicy
Set a single policy on the specified partition. See also Setting Partition Policies Manually.
CA_SetContainerPolicy(CK_SESSION_HANDLE hSession,
CK_ULONG ulContainer,
CK_ULONG ulPolicyId,
CK_ULONG ulPolicyValue);
CA_SetContainerSize
Set the size of the storage on a partition. See also Customizing Partition Sizes.
CA_SetContainerSize(CK_SESSION_HANDLE hSession,
CK_ULONG ulContainerNumber,
CK_ULONG ulSize);
CA_SetDestructiveHSMPolicies
Set multiple destructive HSM policies simultaneously. See also Setting HSM Policies Manually.
CA_SetDestructiveHSMPolicies(CK_SESSION_HANDLE hSession,
CK_ULONG ulPolicyCount,
CK_ULONG_PTR pulPolicyIdArray,
CK_ULONG_PTR pulPolicyValueArray);
CA_SetDestructiveHSMPolicy
Set a single destructive HSM policy. See also Setting HSM Policies Manually.
CA_SetDestructiveHSMPolicy(CK_SESSION_HANDLE hSession,
CK_ULONG ulPolicyId,
CK_ULONG ulPolicyValue);
CA_SetExtendedTPV
Sets the token's TPV and extended TPV.
CA_SetExtendedTPV(CK_SESSION_HANDLE hSession,
CK_ULONG ulTpv,
CK_ULONG ulTpvExt);
CA_SetHSMPolicies
Set multiple non-destructive HSM policies simultaneously. See also Setting HSM Policies Manually.
CA_SetHSMPolicies(CK_SESSION_HANDLE hSession,
CK_ULONG ulPolicyCount,
CK_ULONG_PTR pulPolicyIdArray,
CK_ULONG_PTR pulPolicyValueArray);
CA_SetHSMPolicy
Set a single non-destructive HSM policy. See also Setting HSM Policies Manually.
CA_SetHSMPolicy(CK_SESSION_HANDLE hSession,
CK_ULONG ulPolicyId,
CK_ULONG ulPolicyValue);
CA_SetKCV
Set the cloning domain (Key Cloning Vector) on the partition.
CA_SetKCV(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pCloningDomainString,
CK_ULONG ulCloningDomainStringLen);
CA_SetLKCV
Set a Legacy cloning domain (Key Cloning Vector) on the partition. Used only on password-authenticated HSMs, and not recommended. Kept for compatibility with previous, existing configurations; will be discontinued in a future release.
CA_SetLKCV(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pLegacyCloningDomainString,
CK_ULONG ulLegacyCloningDomainStringLen);
CA_SetMofN
Set the security policy for the token to use the secret sharing feature.
CA_SetMofN(CK_BBOOL bFlag);
CA_SetPedID
Set the PED ID for the specified slot.
CA_SetPedId(CK_SLOT_ID slotId,
CK_ULONG usPedId);
CA_SetRDK
Set the RDK (role-specific KCV) for the current role.
CA_SetRDK(CK_SESSION_HANDLE hSession,
const CK_BYTE *pCloningDomainString,
CK_ULONG ulCloningDomainStringLen);
CA_SetTokenCertificateSignature
Sign the cloning certificate with the private keys generated for key cloning operations.
CA_SetTokenCertificateSignature(CK_SESSION_HANDLE hSession,
CK_ULONG ulAccessLevel,
CK_ULONG ulCustomerId,
CK_ATTRIBUTE_PTR pPublicTemplate,
CK_ULONG usPublicTemplateLen,
CK_BYTE_PTR pSignature,
CK_ULONG ulSignatureLen);
CA_SetTokenPolicies
Set partition policies for the specified slot.
CA_SetTokenPolicies(CK_SESSION_HANDLE hSession,
CK_SLOT_ID ulSlotID,
CK_ULONG ulPolicyCount,
CK_ULONG_PTR pulPolicyIdArray,
CK_ULONG_PTR pulPolicyValueArray);
CA_SetTPV
Sets the token's TPV.
CA_SetTPV(CK_SESSION_HANDLE hSession,
CK_ULONG ulTpv);
CA_SIMExtract
Takes a list of object handles, extracts the objects using the given blob (binary large object) authorization data for protection and returns the extracted set of objects as a single data blob. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
NOTE Individual SKS blobs are limited to 64KB in size. Large groups of keys, or larger data objects might need to be split across multiple blobs for extraction or insertion.
CA_SIMExtract(CK_SESSION_HANDLE hSession,
CK_ULONG ulHandleCount,
CK_OBJECT_HANDLE_PTR pHandleList,
CK_ULONG ulAuthSecretCount,
CK_ULONG ulAuthSubsetCount,
CKA_SIM_AUTH_FORM authForm,
CK_ULONG_PTR pulAuthSecretSizes,
CK_BYTE_PTR *ppbAuthSecretList,
CK_BBOOL deleteAfterExtract,
CK_ULONG_PTR pulBlobSize,
CK_BYTE_PTR pBlob);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| ulHandleCount |
The number of objects specified in pHandleList. |
|
| pHandleList |
Pointer to an array of object handles to be extracted. |
|
| ulAuthSecretCount |
The N value -- the total number of accepted authentication passwords. |
|
| ulAuthSubsetCount |
The M value -- the minimum number of acceptable passwords required to decrypt the blob. |
|
| authForm |
Two forms of authorization are supported: no authorization, and M-of-N passwords. Note that the password form of authorization does not cryptographically protect the key material, it consists of a comparison between the N encrypted values stored in the header versus M plain-text passwords specified upon insertion. >0: no authentication >1: M of N passwords |
|
| pulAuthSecretSizes |
Pointer to an array of M string lengths for the passwords supplied in ppbAuthSecretList. NULL when 0 is specified for authForm. |
|
| *ppbAuthSecretList |
Pointer to an array of M password strings to use to authenticate the blob. NULL when 0 is specified for authForm. |
|
| deleteAfterExtract |
Boolean determining whether to delete the keys from the partition after extracting the blob. |
|
| Out | pulBlobSize |
The size of the extracted blob. |
| pBlob |
The encrypted blob. |
See also Scalable Key Storage.
CA_SIMInsert
Takes a previously extracted blob as input, validates the blob authorization data, inserts the objects contained in the blob into the HSM, and returns the list of handles assigned to the objects. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
NOTE Individual SKS blobs are limited to 64KB in size. Large groups of keys, or larger data objects might need to be split across multiple blobs for extraction or insertion.
CA_SIMInsert(CK_SESSION_HANDLE hSession,
CK_ULONG ulAuthSecretCount,
CKA_SIM_AUTH_FORM authForm,
CK_ULONG_PTR pulAuthSecretSizes,
CK_BYTE_PTR *ppbAuthSecretList,
CK_ULONG ulBlobSize,
CK_BYTE_PTR pBlob,
CK_ULONG_PTR pulHandleCount,
CK_OBJECT_HANDLE_PTR pHandleList);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| ulAuthSecretCount |
The number of authentication passwords supplied. Must be equal to M as defined during blob extraction. |
|
| authForm |
Two forms of authorization are supported: no authorization, and M-of-N passwords. Note that the password form of authorization does not cryptographically protect the key material, it consists of a comparison between the N encrypted values stored in the header versus M plain-text passwords specified upon insertion. >0: no authentication >1: M of N passwords |
|
| pulAuthSecretSizes |
Pointer to an array of M string lengths for the passwords supplied in ppbAuthSecretList. |
|
| *ppbAuthSecretList |
Pointer to an array of M password strings to use to authenticate the blob. |
|
| ulBlobSize |
The size of the encrypted blob. |
|
| pBlob |
The encrypted blob. |
|
| Out | pulHandleCount |
Pointer to the number of objects that were inserted. |
| pHandleList |
Pointer to an array of object handles assigned to the inserted objects. |
See also Scalable Key Storage.
CA_SIMInsertExtended
Takes a previously extracted blob as input, validates the blob authorization data, inserts the objects contained in the blob into the HSM, and returns the list of handles assigned to the objects. Requires Luna HSM Client 10.6.0 or newer.
CA_SIMInsertExtended(CK_SESSION_HANDLE hSession,
CK_ULONG ulAuthSecretCount,
CKA_SIM_AUTH_FORM authForm,
CK_ULONG_PTR pulAuthSecretSizes,
CK_BYTE_PTR *ppbAuthSecretList,
CK_ULONG ulBlobSize,
CK_BYTE_PTR pBlob,
CK_ULONG_PTR pulHandleCount,
CK_OBJECT_HANDLE_PTR pHandleList,
CK_ULONG ulStorageType,
CK_ULONG ulInsertMode);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| ulAuthSecretCount |
The N value -- the total number of accepted authentication passwords. |
|
| authForm |
Two forms of authorization are supported: no authorization, and M-of-N passwords. Note that the password form of authorization does not cryptographically protect the key material, it consists of a comparison between the N encrypted values stored in the header versus M plain-text passwords specified upon insertion. >0: no authentication >1: M of N passwords |
|
| pulAuthSecretSizes |
Pointer to an array of M string lengths for the passwords supplied in ppbAuthSecretList. |
|
| *ppbAuthSecretList |
Pointer to an array of M password strings to use to authenticate the blob. |
|
| pulHandleCount |
Pointer to the number of objects that were inserted. |
|
| pHandleList |
Pointer to an array of object handles to be extracted. |
|
| ulStorageType |
|
|
| ulInsertMode |
|
|
| Out | ulBlobSize |
The size of the encrypted blob. |
| pBlob |
The encrypted blob. |
See also Scalable Key Storage.
CA_SIMMultiSign
Takes a previously extracted blob as input, validates the authorization data, then uses the key material in the given key blob to sign the various pieces of data in the input data table, returning the signatures through the signature table. The key exists on the HSM only during the processing of the command and does not persist afterward. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
If the blob contains more than one key, the key in the blob that is suitable for the requested signature mechanism is used to sign the data. If there are multiple candidates, an error is returned.
CA_SIMMultiSign(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_ULONG ulAuthSecretCount,
CKA_SIM_AUTH_FORM authForm,
CK_ULONG_PTR pulAuthSecretSizes,
CK_BYTE_PTR *ppbAuthSecretList,
CK_ULONG ulBlobSize,
CK_BYTE_PTR pBlob,
CK_ULONG ulInputDataCount,
CK_ULONG_PTR pulInputDataLengths,
CK_BYTE_PTR *ppbInputDataList,
CK_ULONG_PTR pulSignatureLengths,
CK_BYTE_PTR *ppbSignatureList);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| pMechanism |
Specifies the mechanism to use for the operation. |
|
| ulAuthSecretCount |
The N value -- the total number of accepted authentication passwords. |
|
| authForm |
Two forms of authorization are supported: no authorization, and M-of-N passwords. Note that the password form of authorization does not cryptographically protect the key material, it consists of a comparison between the N encrypted values stored in the header versus M plain-text passwords specified upon insertion. >0: no authentication >1: M of N passwords NOTE Per-key authorization data is not passed in to the HSM with this call to authorize the inserted key object. If the inserted key has per-key authorization attribute defined, this function is tied to access-based per-key authorization. |
|
| pulAuthSecretSizes |
Pointer to an array of M string lengths for the passwords supplied in ppbAuthSecretList. |
|
| *ppbAuthSecretList |
Pointer to an array of M password strings to use to authenticate the blob. |
|
| ulBlobSize |
The size of the encrypted blob. |
|
| pBlob |
The encrypted blob. |
|
| ulInputDataCount | The number of objects to be signed, specified in ppbInputDataList. | |
| pulInputDataLengths | Pointer to an array of lengths of the data objects specified in ppbInputDataList. | |
| *ppbInputDataList | Pointer to an array of data objects to be signed. | |
| Out | pulSignatureLengths | Pointer to the lengths of the signed data objects. |
| *ppbSignatureList | Pointer to the signed data objects. |
See also Scalable Key Storage.
CA_SMKRollover
Move the current SMK to the RolloverSMK slot and creates a new Primary SMK - this allows insertion/decrypting of existing blobs with Rollover SMK and re-encryption/extraction with the new Primary. Use again to end the operation and complete the rollover. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_SMKRollover(CK_SESSION_HANDLE ulSessionNumber,
CK_ULONG ulValue);
| I/O | Argument | Description |
|---|---|---|
| In | ulSessionNumber |
The session handle. |
| ulValue |
Specifies whether to begin or end the rollover process, as described below: >1: Begin the rollover process. Moves the current SMK to the RolloverSMK location, and creates a new Primary SMK. Blobs that were encrypted with the old SMK can still be inserted, decrypted (see CA_SIMInsert), and then re-extracted with the new SMK (see CA_SIMExtract). >0: End the rollover process by deleting the RolloverSMK. Any blobs that are encrypted by this SMK are unrecoverable. Ensure that all important blobs have been re-inserted and re-extracted before using this option. |
See also SMK Rollover.
CA_SpRawRead
Legacy PED key migration - read the PED key value from DataKey PED Key.
CA_SpRawRead(CK_SLOT_ID slotId,
CK_ULONG_PTR data);
CA_SpRawWrite
Legacy PED key migration - store the PED key value to iKey PED Key.
CA_SpRawWrite(CK_SLOT_ID slotId,
CK_ULONG_PTR data);
CA_STCClearCipherAlgorithm
Remove the specified Cipher Algorithm from use with STC for the specified slot.
CA_STCClearCipherAlgorithm(CK_SESSION_HANDLE hSession,
CK_ULONG TargetSlotID,
CK_ULONG CipherID);
CA_STCClearDigestAlgorithm
Remove the specified Digest Algorithm from use with STC for the specified slot. This function is deprecated in Luna HSM Firmware 7.7.0 and newer.
CA_STCClearDigestAlgorithm(CK_SESSION_HANDLE hSession,
CK_ULONG TargetSlotID,
CK_ULONG DigestID); //not supported
CA_STCDeregister
Remove STC registration of a client from the specified slot.
CA_STCDeregister(CK_SESSION_HANDLE hSession,
CK_SLOT_ID TargetslotID,
const CK_CHAR *username);
CA_STCGetAdminPID
Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_STCGetAdminPID(CK_SLOT_ID slotId,
CK_ULONG_PTR pType,
CK_BYTE_PTR pPID,
CK_ULONG_PTR pPIDLen);
CA_STCGetAdminPubKey
Get the public key for the Admin slot's STC identity RSA keypair. This function is deprecated in Luna HSM Firmware 7.7.0 and newer.
CA_STCGetAdminPubKey(CK_SLOT_ID slotId,
CK_CHAR * mod,
CK_ULONG_PTR modSize,
CK_CHAR * exp,
CK_ULONG_PTR expSize); //not supported
CA_STCGetChannelID
Get the Secure Trusted Channel ID for the current slot.
CA_STCGetChannelID(CK_SLOT_ID slotId,
CK_ULONG_PTR ulChannelId);
CA_STCGetCipherAlgorithm
Get all the valid cipher suites allowed for the specified slot.
CA_STCGetCipherAlgorithm(CK_SESSION_HANDLE hSession,
CK_ULONG TargetSlotID,
CK_BYTE_PTR pIDCount,
CK_ULONG_PTR pIDs);
CA_STCGetCipherID
Get the ID for the cipher currently in use on active STC to this slot.
CA_STCGetCipherID(CK_SLOT_ID slotId,
CK_ULONG_PTR ulCipherId);
CA_STCGetCipherIDs
Get all cipher IDs valid for use with STC to the specified slot.
CA_STCGetCipherIDs(CK_SLOT_ID slotID,
CK_ULONG_PTR pulArray,
CK_BYTE_PTR pbArraySize);
CA_STCGetCipherNameByID
Get the readable name string for the specified Cipher ID.
CA_STCGetCipherNameByID(CK_SLOT_ID slotID,
CK_ULONG ulCipherID,
CK_CHAR_PTR pszName,
CK_BYTE bNameBufSize);
CA_STCGetClientInfo
Get the STC registration details (name, public key, active access) about the specified client on the specified slot. This function is deprecated in Luna HSM Firmware 7.7.0 and newer. Use CA_STCGetClientInfoV2 instead.
CA_STCGetClientInfo(CK_SESSION_HANDLE hSession,
CK_SLOT_ID TargetSlotID,
CK_ULONG ulHandle,
CK_CHAR * username,
CK_ULONG_PTR name_len,
CK_ULONG_PTR access,
CK_CHAR * mod,
CK_ULONG_PTR mod_len,
CK_CHAR * exp,
CK_ULONG_PTR exp_len); //not supported
CA_STCGetClientInfoV2
Get the STC registration details (name, public key, active access) about the specified client on the specified slot. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0. For older firmware/client versions, use CA_STCGetClientInfo.
CA_STCGetClientInfoV2(CK_SESSION_HANDLE hSession,
CK_SLOT_ID TargetSlotID,
CK_ULONG ulHandle,
CK_CHAR * username,
CK_ULONG_PTR name_len,
CK_ULONG_PTR type,
CK_BYTE * userid,
CK_ULONG_PTR id_len);
CA_STCGetClientsList
Get the list of all STC clients registered to the specified slot.
CA_STCGetClientsList(CK_SESSION_HANDLE hSession,
CK_SLOT_ID TargetSlotID,
CK_ULONG_PTR pulCIDArray,
CK_ULONG_PTR pulCIDArraySize);
CA_STCGetCurrentKeyLife
Get the remaining lifetime (in operations) for the active negotiated STC session key. This function is deprecated in Luna HSM Firmware 7.7.0 and newer.
CA_STCGetCurrentKeyLife(CK_SESSION_HANDLE hSession,
CK_ULONG TargetSlotID,
CK_ULONG_PTR pcurKeyLife); //not supported
CA_STCGetDigestAlgorithm
Get all the valid digest algorithms allowed for the specified slot. This function is deprecated in Luna HSM Firmware 7.7.0 and newer.
CA_STCGetDigestAlgorithm(CK_SESSION_HANDLE hSession,
CK_ULONG TargetSlotID,
CK_BYTE_PTR pIDCount,
CK_ULONG_PTR pIDs); //not supported
CA_STCGetDigestID
Get the ID for the digest currently in use on active STC to this slot. This function is deprecated in Luna HSM Firmware 7.7.0 and newer.
CA_STCGetDigestID(CK_SLOT_ID slotId,
CK_ULONG_PTR ulDigestId); //not supported
CA_STCGetDigestIDs
Get all digest IDs valid for use with STC to the specified slot. This function is deprecated in Luna HSM Firmware 7.7.0 and newer.
CA_STCGetDigestIDs(CK_SLOT_ID slotID,
CK_ULONG_PTR pulArray,
CK_BYTE_PTR pbArraySize); //not supported
CA_STCGetDigestNameByID
Get the readable name string for the specified Digest ID. This function is deprecated in Luna HSM Firmware 7.7.0 and newer.
CA_STCGetDigestNameByID(CK_SLOT_ID slotID,
CK_ULONG ulDigestID,
CK_CHAR_PTR pszName,
CK_BYTE bNameBufSize); //not supported
CA_STCGetKeyActivationTimeout
Get the amount of time allowed between the initiation and completion of STC session negotiation.
CA_STCGetKeyActivationTimeOut(CK_SESSION_HANDLE hSession,
CK_ULONG TargetSlotID,
CK_ULONG_PTR ptimeOut);
CA_STCGetKeyLifetime
Get the configured session key lifetime (in operations) for the specified slot.
CA_STCGetKeyLifeTime(CK_SESSION_HANDLE hSession,
CK_ULONG TargetSlotID,
CK_ULONG_PTR plifeTime);
CA_STCGetMaxSessions
CA_STCGetMaxSessions(CK_SESSION_HANDLE hSession,
CK_ULONG TargetSlotID,
CK_ULONG_PTR pmaxSessions);
CA_STCGetPartPubKey
Get the public key for the specified slot STC identity RSA keypair. This function is deprecated in Luna HSM Firmware 7.7.0 and newer.
CA_STCGetPartPubKey(CK_SESSION_HANDLE hSession,
CK_SLOT_ID TargetSlotID,
CK_CHAR * mod,
CK_ULONG_PTR modSize,
CK_CHAR * exp,
CK_ULONG_PTR expSize); //not supported
CA_STCGetPID
Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0.
CA_STCGetPID(CK_SESSION_HANDLE hSession,
CK_SLOT_ID TargetSlotID,
CK_ULONG_PTR pType,
CK_BYTE_PTR pPID,
CK_ULONG_PTR pPIDLen);
CA_STCGetPubKey
Get the specified slot's public key.
CA_STCGetPubKey(CK_SESSION_HANDLE hSession,
CK_SLOT_ID TargetSlotID,
const CK_CHAR * username,
CK_CHAR *pmod,
CK_ULONG_PTR mod_len,
CK_CHAR *pexp,
CK_ULONG_PTR exp_len); //not supported
CA_STCGetSequenceWindowSize
Get the replay window size for the specified slot. This function is deprecated in Luna HSM Firmware 7.7.0 and newer.
CA_STCGetSequenceWindowSize(CK_SESSION_HANDLE hSession,
CK_ULONG TargetSlotID,
CK_ULONG_PTR pwindowSize); //not supported
CA_STCGetState
Get the STC state of the specified slot.
CA_STCGetState(CK_ULONG TargetSlotID,
CK_CHAR * str,
CK_BYTE bbufferSize);
CA_STCIsEnabled
Determine if STC is configured for the specified slot.
CA_STCIsEnabled(CK_ULONG TargetSlotID,
CK_BYTE_PTR pbenabled);
CA_STCRegister
Register a client for STC to the specified slot. This function is deprecated in Luna HSM Firmware 7.7.0 and newer. Use CA_STCRegisterV2 instead.
CA_STCRegister(CK_SESSION_HANDLE hSession,
CK_SLOT_ID TargetSlotID,
const CK_CHAR *username,
CK_ULONG access,
const CK_CHAR *pmod,
CK_ULONG mod_len,
const CK_CHAR *pexp,
CK_ULONG exp_len); //not supported
CA_STCRegisterV2
Register a client for STC to the specified slot. Requires minimum Luna HSM Firmware 7.7.0 and Luna HSM Client 10.3.0. For older firmware/client versions, use CA_STCRegister.
CA_STCRegisterV2(CK_SESSION_HANDLE hSession,
CK_SLOT_ID TargetSlotID,
const CK_CHAR *username,
const CK_ULONG nameLen,
CK_ULONG type,
const CK_BYTE *credential,
CK_ULONG credentialLen);
CA_STCSetCipherAlgorithm
Set a cipher algorithm as valid for use with STC on the specified slot.
CA_STCSetCipherAlgorithm(CK_SESSION_HANDLE hSession,
CK_ULONG TargetSlotID,
CK_ULONG CipherID);
CA_STCSetDigestAlgorithm
Set a digest algorithm as valid for use with STC on the specified slot. This function is deprecated in Luna HSM Firmware 7.7.0 and newer.
CA_STCSetDigestAlgorithm(CK_SESSION_HANDLE hSession,
CK_ULONG TargetSlotID,
CK_ULONG DigestID); //not supported
CA_STCSetKeyActivationTimeout
Set the amount of time allowed between the initiation and completion of STC session negotiations for the specified slot.
CA_STCSetKeyActivationTimeOut(CK_SESSION_HANDLE hSession,
CK_ULONG TargetSlotID,
CK_ULONG timeOut);
CA_STCSetKeyLifetime
Set how long a STC key can live before STC rekeying occurs.
CA_STCSetKeyLifeTime(CK_SESSION_HANDLE hSession,
CK_ULONG TargetSlotID,
CK_ULONG lifeTime);
CA_STCSetMaxSessions
CA_STCSetMaxSessions(CK_SESSION_HANDLE hSession,
CK_ULONG TargetSlotID,
CK_ULONG maxSessions);
CA_STCSetSequenceWindowSize
Set the replay window size for the specified slot. This function is deprecated in Luna HSM Firmware 7.7.0 and newer.
CA_STCSetSequenceWindowSize(CK_SESSION_HANDLE hSession,
CK_ULONG TargetSlotID,
CK_ULONG windowSize); //not supported
CA_STMGetState
Get Secure Transport Mode state (enabled or disabled).
CA_STMGetState(CK_SLOT_ID slotID,
CK_ULONG_PTR state);
| I/O | Argument | Description |
|---|---|---|
| In | slotID |
The slot number. |
| Out | state |
The STM state. |
CA_STMToggle
Enter or recover from Secure Transport Mode.
CA_STMToggle(CK_SESSION_HANDLE ulSessionNumber,
CK_ULONG ulValue,
CK_ULONG ulInputDataSize,
CK_CHAR_PTR pInputData,
CK_ULONG_PTR pulOutputDataSize,
CK_CHAR_PTR pOutputData);
CA_SwitchSecondarySlot
CA_SwitchSecondarySlot(CK_SESSION_HANDLE hSession,
CK_SLOT_ID slotID,
CK_ULONG slotInstance);
CA_TamperClear
Clear a tamper condition on the HSM. Available to the HSM SO only. See also Recovering from a Tamper Event.
CA_TamperClear(CK_SESSION_HANDLE ulSessionNumber);
| I/O | Argument | Description |
|---|---|---|
| In | ulSessionNumber |
The session handle. |
CA_TestTrace
Requires minimum Luna HSM Firmware 7.3.0 and Luna HSM Client 7.3.0.
CA_TestTrace(CK_SLOT_ID slotID,
CK_ULONG ulTypeOfTrace,
CK_BYTE_PTR pInData,
CK_ULONG ulInDataLength,
CK_BYTE_PTR pOutData,
CK_ULONG_PTR pulOutDataLength);
CA_TimeSync
Synchronize the HSM time with the host time.
CA_TimeSync(CK_SESSION_HANDLE hSession,
CK_ULONG ulTime);
CA_TokenDelete
Delete a partition on the HSM. Available to the HSM SO only. See also Creating or Deleting an Application Partition.
CA_TokenDelete(CK_SESSION_HANDLE hSession,
CK_SLOT_ID slotID);
CA_TokenInsert
CA_TokenInsert(CK_SESSION_HANDLE hSession,
const CT_TokenHndle token,
CK_SLOT_ID slotID);
CA_TokenInsertNoAuth
CA_TokenInsertNoAuth(const CT_TokenHndle token,
CK_SLOT_ID slotID);
CA_TokenZeroize
Zeroize a partition in the specified slot.
CA_TokenZeroize(CK_SESSION_HANDLE hSession,
CK_SLOT_ID slotID,
CK_FLAGS flags);
CA_UnloadModule
CA_UnloadModule(CK_SESSION_HANDLE hSession,
CKCA_MODULE_ID moduleId);
CA_UnlockClusteredSlot
Unlock the specified keyring. It might have been locked deliberately using CA_LockClusteredSlot or CA_GetUnassignedSlot. This extension applies to Luna keyrings only (see also Cluster Extensions). Thales requires minimum Luna Appliance Software 7.8.5 with the lnh_cluster-1.0.4 package, Luna HSM Firmware 7.8.4, and Luna HSM Client 10.7.2 to use clusters in production environments.
CA_UnlockClusteredSlot(CK_SLOT_ID slotId);
| I/O | Argument | Description |
|---|---|---|
| Input | slotId |
The slot number. |
| Return Code | Hex | Description |
|---|---|---|
| CKR_OK | 0x0000 | Successful |
| CKR_SLOT_ID_INVALID | 0x0003 | |
| CKR_DEVICE_ERROR | 0x0030 |
CA_ValidateContainerPolicySet
Validate partition policy settings. Requires minimum Luna HSM Firmware 7.1.0 and Luna HSM Client 7.1.0. See also
CA_ValidateContainerPolicySet(CK_SLOT_ID slotId,
CK_ULONG ulContainerNumber,
CK_POLICY_INFO_PTR policyInfo,
CK_ULONG policyCount,
CK_RV_PTR policyResults);
CA_ValidateHSMPolicySet
Validate HSM policy settings. Requires minimum Luna HSM Firmware 7.1.0 and Luna HSM Client 7.1.0. See also
CA_ValidateHSMPolicySet(CK_SLOT_ID slotId,
CK_POLICY_INFO_PTR policyInfo,
CK_ULONG policyCount,
CK_RV_PTR policyResults);
CA_WaitForSlotEvent
On PCMCIA HSMs, extend C_WaitForSlotEvent and provides some history of events.
CA_WaitForSlotEvent(CK_FLAGS flags,
CK_ULONG history[2],
CK_SLOT_ID_PTR pSlot,
CK_VOID_PTR pReserved);
CA_WrapKeyWithScheme
This function behaves the same as the existing standard C_WrapKey function, except that the keyEncodingScheme and pUsageInfo values are passed down to the key encoding operation of the mechanism to guide the selection of the encoding scheme to use and add an optional Attributes field.
Requires minimum Luna HSM Firmware 7.9.1 and Luna HSM Client 10.9.1.
CA_WrapKeyWithScheme(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hWrappingKey,
CK_OBJECT_HANDLE hKey,
CK_KEY_ENCODING_SCHEME keyEncodingScheme,
CK_BYTE_PTR pUsageInfo,
CK_ULONG ulUsageInfoLen,
CK_BYTE_PTR pWrappedKey,
CK_ULONG_PTR pulWrappedKeyLen);
| I/O | Argument | Description |
|---|---|---|
| In | hSession | The authenticated session handle. |
| pMechanism |
Specifies the mechanism to use for the operation. |
|
| hKey | The key to be wrapped. | |
| keyEncodingScheme |
To support compatibility between key exporter and importer, CA_WrapKeyWithScheme supports more than one export scheme with extensions to PKCS#11. ML-DSA and ML-KEM use the same layout and so are treated the same. Valid values for >0: Default. Luna HSM chooses the output (1 if CKA_SEED is present, otherwise 2). >1: Encode Seed. Seed [0] OCTET STRING >2: Encode exp expandedKey OCTET STRING >3: Encode both both SEQUENCE {
seed OCTET STRING,
expandedKey OCTET STRING
}
>4: The encoding scheme selected may also specify if the encoding includes the public Key by OR’ing this value. |
|
| pUsageInfo |
Pointer to a valid DER encoding of a set of attributes, where Attribute is a SEQ containing an OID followed by one or more values: Attribute ::= SEQUENCE {
attrType OBJECT IDENTIFIER,
attrValues SET OF ANY
}
Attributes ::= SET OF Attribute
The maximum supported length is 1024 bytes. Here is a sample showing a keyUsage Attribute for a ML-KEM Private key where bit 2 (keyEncipherment) is set: 31 0E ; SET of Attributes 14 bytes long
30 0C ; 1st Attribute SEQUENCE 12 bytes long
06 03 55 1D 0F ; OID keyUsage (2.5.29.15)
31 05 ; SEQUENCE 5 bytes long
03 03 00 20 00 ; BIT STR 3 bytes: 0 unused bits, val 0x2000
For illustration, here is a BIT STR with digitalSignature + nonrepudiation set: 03 03 00 C0 00 ; BIT STR 3 bytes: 0 unused bits, val 0xC000 KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1), -- recent editions of X.509 have
-- renamed this bit to contentCommitment
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }
|
|
| ulUsageInfoLen | The length of the set of attributes in pUsageInfo. if this value is 0, no Attributes field will be added to the PKCS#8 encoding. |
|
| Out | pWrappedKey | The wrapped key. |
| pulWrappedKeyLen | The length of the wrapped key. |
CA_WriteCommonStore
CA_WriteCommonStore(CK_ULONG index,
CK_BYTE_PTR pBuffer,
CK_ULONG ulBufferSize);
CA_Zeroize
Zeroize the HSM.
CA_Zeroize(CK_SLOT_ID slotId,
CK_FLAGS flags);
CA_ZeroizeContainer
Zeroize an application partition. Requires minimum Luna HSM Firmware 7.1.0 and Luna HSM Client 7.1.0.
CA_ZeroizeContainer(CK_SESSION_HANDLE hSession);
| I/O | Argument | Description |
|---|---|---|
| Input | hSession | The authenticated session handle. |
GetTotalOperations
GetTotalOperations(CK_SLOT_ID slotId,
int *operations);
ResetTotalOperations
ResetTotalOperations(CK_SLOT_ID slotId);
| I/O | Argument | Description |
|---|---|---|
| Input | slotId |
The slot number. |
