print Print
Logo: Stiftung Secure Information and Communication Technologies SIC Stiftung Secure Information and Communication Technologies SIC

Features of the IAIK JCE Provider for PKCS#11

Introduction

 The IAIK JCE Provider for PKCS#11 provides access to various types of cryptographic algorithms. This includes ciphers, hash algorithms, key agreement algorithms, MACs and signature algorithms. Moreover, it provides access to key and key-pair generators for key generation and key factories for importing end exporting keys to and from other providers.

 The provider does not implement these algorithms itself. It rather converts the command parameters into structures suitable for PKCS#11 modules and forwards the calls to an underlying PKCS#11 token. A PKCS#11 token can be a smart card or a hardware security module. There are some exceptions to this rule. For signature algorithms there are two different types in general. One does the hashing in software inside the provider and sends the final hash for signing to the token. The other does the complete calculation, including the hash, on the token. The first type will have performance advantages, whereby the second may have security advantages - it may be harder to attack.

 The JCA key objects of this provider only contain key material that is extractable from the token. If some key material of PKCS#11 key objects in not extractable, which almost always holds for private keys, the key objects of this provider do not hold any sensitive key material. This is the main reason why key objects of this provider cannot be used with signature and cipher engines of software JCE providers and vice versa. However, if the key material is extractable, the application can use the key factories of the PKCS#11 provider to generate key specifications. Using this key specifications, the application can use the key factories of another provider to generate keys suitable for the other provider. Have a look at the key factory samples. Some key types provide their key material directly, if extractable from the token; for example RSA, DSA, DH and secret keys.

Registration of Algorithms

 By default, the IAIK JCE Provider for PKCS#11 always registers all algorithms listed in the feature description of the documentation regardless of the supported features of any present token. One reason for this behavior is that SUN's JCE architecture does not support removing an already registered algorithm. Thus, it would not be possible to adapt the list of algorithms on demand. The mechanisms that the provider can access through PKCS#11 depend on the token currently present, and this may change at any time.

 However, the application can modify the list of algorithms that the provider registers. The provider simply reads a properties file from the CLASSPATH and registers the algorithms as listed in this file. The name of this properties file can be configured with the ALGORITHM_PROPERTIES entry in the provider's configuration properties. This file must be in the CLASSPATH.

 The default file is iaik.pkcs.pkcs11.provider.IAIKPkcs11Algorithm.properties, which is included in the provider's jar file. It contains all algorithms listed below.

 If the application provides an own algorithms file, the provider will use this file instead of the default file.

 A configuration option allows to modify the list of supported algorithms dynamically. This option can be enabled by setting the property with the key CHECK_MECHANISM_SUPPORTED. If this feature is enabled, the provider reads the list of supported algorithms as configured with the ALGORITHM_PROPERTIES, but it does not pass any algorithm to the JCA/JCE framework, if the currently present token does not support the required PKCS#11 mechanism or if there is currently no token present. Notice that this feature may not work as expected with every Java runtime environment; for example, most SUN VMs cache the algorithms of a provider internally in their JCA/JCE framework. This means, if the VM uses an algorithm of an provider, it expects that this algorithm is available at any time and does not request this algorithm from the provider, but rather takes the implementation class out of its own cache.

Supported Algorithms

 The following table shows the supported algorithms. For each JCA and JCE algorithm it shows the underlying PKCS#11 mechanism and the used functions of the configured PKCS#11 module.

JCA and JCE Algorithms

Message Digest Algorithms

 MessageDigest md = MessageDigest.getInstance( <Standard Name> | <Alias >, <provider name >);

Standard Name

Used PKCS#11 Mechanism

Used PKCS#11 Functions

Aliases

 Md2

 (Message Digest 2)

Uses the mechanism CKM_MD2 of the underlying PKCS#11 module.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_DigestInit

 C_DigestUpdate

 C_DigestFinal

 

 Md5

 (Message Digest 5)

Uses the mechanism CKM_MD5 of the underlying PKCS#11 module.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_DigestInit

 C_DigestUpdate

 C_DigestFinal

 

 SHA-1

 (Secure Hash Algorithm)

Uses the mechanism CKM_SHA_1 of the underlying PKCS#11 module.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_DigestInit

 C_DigestUpdate

 C_DigestFinal

 SHA

 SHA1

 1.3.14.3.2.18

 SHA-256

 (Secure Hash Algorithm)

Uses the mechanism CKM_SHA256 of the underlying PKCS#11 module.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_DigestInit

 C_DigestUpdate

 C_DigestFinal

 SHA256

 2.16.840.1.101.3.4.2.1

 SHA-384

 (Secure Hash Algorithm)

Uses the mechanism CKM_SHA384 of the underlying PKCS#11 module.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_DigestInit

 C_DigestUpdate

 C_DigestFinal

 SHA384

 2.16.840.1.101.3.4.2.2

 SHA-512

 (Secure Hash Algorithm)

Uses the mechanism CKM_SHA512 of the underlying PKCS#11 module.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_DigestInit

 C_DigestUpdate

 C_DigestFinal

 SHA512

 2.16.840.1.101.3.4.2.3

 RipeMd128

 (RACE Integrity Primitives Evaluation Message Digest 128)

Uses the mechanism CKM_RIPEMD128 of the underlying PKCS#11 module.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_DigestInit

 C_DigestUpdate

 C_DigestFinal

 RipeMd-128

 1.3.36.3.2.2

 RipeMd160

 (RACE Integrity Primitives Evaluation Message Digest 160)

Uses the mechanism CKM_RIPEMD160 of the underlying PKCS#11 module.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_DigestInit

 C_DigestUpdate

 C_DigestFinal

 RipeMd-160

 1.3.36.3.2.1

 FastHash

 (US Government's Fast Hash Algorithm)

Uses the mechanism CKM_FASTHASH of the underlying PKCS#11 module.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_DigestInit

 C_DigestUpdate

 C_DigestFinal

 

Digital Signature Algorithms

 Signature sig = Signature.getInstance( <Standard Name> | <Alias >, <provider name >);

Standard Name

Used PKCS#11 Mechanism

Used PKCS#11 Functions

Aliases

 MD2/RSA

 (MD2 [in software] with RSA encryption [on the token])

Uses the mechanism CKM_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 MD2withRSA

 1.2.840.113549.1.1.2

 ExternalMD2/RSA

 ExternalMD2withRSA

 MD5/RSA

 (MD5 [in software] with RSA encryption [on the token])

Uses the mechanism CKM_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 MD5withRSA

 1.2.840.113549.1.1.4

 ExternalMD5/RSA

 ExternalMD5withRSA

 SHA/RSA

 (SHA-1 [in software] with RSA encryption [on the token])

Uses the mechanism CKM_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 SHA-1/RSA

 SHAwithRSA

 SHA1withRSA

 1.2.840.113549.1.1.5

 1.3.14.3.2.29

 ExternalSHA/RSA

 ExternalSHAwithRSA

 ExternalSHA1withRSA

 SHA256/RSA

 (SHA-256 [in software] with RSA encryption [on the token])

Uses the mechanism CKM_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 SHA-256/RSA

 SHA256withRSA

 1.2.840.113549.1.1.11

 ExternalSHA256/RSA

 ExternalSHA256withRSA

 SHA384/RSA

 (SHA-384 [in software] with RSA encryption [on the token])

Uses the mechanism CKM_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 SHA-384/RSA

 SHA384withRSA

 1.2.840.113549.1.1.12

 ExternalSHA384/RSA

 ExternalSHA384withRSA

 SHA512/RSA

 (SHA-512 [in software] with RSA encryption [on the token])

Uses the mechanism CKM_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 SHA-512/RSA

 SHA512withRSA

 1.2.840.113549.1.1.13

 ExternalSHA512/RSA

 ExternalSHA512withRSA

 SHA/RSA/X9.31

 (SHA-1 [in software] with X9.31 RSA signature [on the token])

Uses the mechanism CKM_RSA_X9_31 of the underlying PKCS#11 module. The hash is calculated in software inside the provider. X9.31 is an ANSI standard.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 SHA-1/RSA/X9.31

 SHAwithX9_31RSA

 SHA1withX9_31RSA

 ExternalSHA/RSA/X9.31

 ExternalSHAwithX9_31RSA

 ExternalSHA1withX9_31RSA

 SHA/RSA/PSS

 (SHA-1 [in software] with RSA signature and PSS padding [on the token])

Uses the mechanism CKM_RSA_PKCS_PSS of the underlying PKCS#11 module. The hash is calculated in software inside the provider. The PSS padding is defined in PKCS#1 version 2.1.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 SHA-1/RSA/PSS

 SHAwithPssRSA

 SHA1withPssRSA

 SHAwithRSAandMGF1

 SHA1withRSAandMGF1

 ExternalSHA/RSA/PSS

 ExternalSHAwithPssRSA

 ExternalSHA1withPssRSA

 ExternalSHAwithRSAandMGF1

 ExternalSHA1withRSAandMGF1

 SHA256/RSA/PSS

 (SHA-256 [in software] with RSA signature and PSS padding [on the token])

Uses the mechanism CKM_RSA_PKCS_PSS of the underlying PKCS#11 module. The hash is calculated in software inside the provider. The PSS padding is defined in PKCS#1 version 2.1.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 SHA-256/RSA/PSS

 SHA256withPssRSA

 SHA256withRSAandMGF1

 ExternalSHA256/RSA/PSS

 ExternalSHA256withPssRSA

 ExternalSHA256withRSAandMGF1

 SHA384/RSA/PSS

 (SHA-384 [in software] with RSA signature and PSS padding [on the token])

Uses the mechanism CKM_RSA_PKCS_PSS of the underlying PKCS#11 module. The hash is calculated in software inside the provider. The PSS padding is defined in PKCS#1 version 2.1.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 SHA-384/RSA/PSS

 SHA384withPssRSA

 SHA384withRSAandMGF1

 ExternalSHA384/RSA/PSS

 ExternalSHA384withPssRSA

 ExternalSHA384withRSAandMGF1

 SHA512/RSA/PSS

 (SHA-512 [in software] with RSA signature and PSS padding [on the token])

Uses the mechanism CKM_RSA_PKCS_PSS of the underlying PKCS#11 module. The hash is calculated in software inside the provider. The PSS padding is defined in PKCS#1 version 2.1.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 SHA-512/RSA/PSS

 SHA512withPssRSA

 SHA512withRSAandMGF1

 ExternalSHA512/RSA/PSS

 ExternalSHA512withPssRSA

 ExternalSHA512withRSAandMGF1

 RipeMd128/RSA

 (RipeMd128 [in software] with RSA encryption [on the token])

Uses the mechanism CKM_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 RipeMd128withRSA

 RipeMd-128/RSA

 1.3.36.3.3.1.3

 ExternalRipeMd128/RSA

 ExternalRipeMd128withRSA

 RipeMd160/RSA

 (RipeMd160 [in software] with RSA encryption [on the token])

Uses the mechanism CKM_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 RipeMd160withRSA

 RipeMd-160/RSA

 1.3.36.3.3.1.2

 ExternalRipeMd160/RSA

 ExternalRipeMd160withRSA

RipeMD256/RSA

(RipeMd256 [in software] with RSA encryption [on the token])

Uses the mechanism CKM_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

RipeMd256withRSA

RipeMd-256/RSA

1.3.36.3.3.1.4

ExternalRipeMd256/RSA

ExternalRipeMd256withRSA

 DSA

 (SHA-1 [in software] with DSA [on the token])

Uses the mechanism CKM_DSA of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 SHA/DSA

 SHA-1/DSA

 SHAwithDSA

 SHA1withDSA

 1.3.14.3.2.13

 1.3.14.3.2.27

 1.2.840.10040.4.3

 ExternalSHA/DSA

SHA256/DSA

(SHA-256 [in software] with DSA [on the token])

Uses the mechanism CKM_DSA of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

SHA-256/DSA

SHA256withDSA

2.16.840.1.101.3.4.3.2

ExternalSHA256/DSA

 SHA/ECDSA

 (SHA-1 [in software] with EC-DSA [on the token])

Uses the mechanism CKM_ECDSA of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 ECDSA

 SHA-1/ECDSA

 SHAwithECDSA

 SHA1withECDSA

 ecdsa-with-SHA1

 EcdsaWithSHA1

 1.2.840.10045.4.1

 ExternalSHA/ECDSA

 SHA224/ECDSA

 (SHA-224 [in software] with EC-DSA [on the token])

Uses the mechanism CKM_ECDSA of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 SHA-224/ECDSA

 SHA224withECDSA

 ecdsa-with-SHA224

 EcdsaWithSHA224

 1.2.840.10045.4.3.1

 ExternalSHA224/ECDSA

 SHA256/ECDSA

 (SHA-256 [in software] with EC-DSA [on the token])

Uses the mechanism CKM_ECDSA of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 SHA-256/ECDSA

 SHA256withECDSA

 ecdsa-with-SHA256

 EcdsaWithSHA256

 1.2.840.10045.4.3.2

 ExternalSHA256/ECDSA

 SHA384/ECDSA

 (SHA-384 [in software] with EC-DSA [on the token])

Uses the mechanism CKM_ECDSA of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 SHA-384/ECDSA

 SHA384withECDSA

 ecdsa-with-SHA384

 EcdsaWithSHA384

 1.2.840.10045.4.3.3

 ExternalSHA384/ECDSA

 SHA512/ECDSA

 (SHA-512 [in software] with EC-DSA [on the token])

Uses the mechanism CKM_ECDSA of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 SHA-512/ECDSA

 SHA512withECDSA

 ecdsa-with-SHA512

 EcdsaWithSHA512

 1.2.840.10045.4.3.4

 ExternalSHA512/ECDSA

 InternalMD2/RSA

 (MD2 with RSA encryption [both on the token])

Uses the mechanism CKM_MD2_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated on the token.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_SignUpdate

 C_SignFinal

 C_VerifyInit

 C_VerifyUpdate

 C_VerifyFinal

 InternalMD2withRSA

 InternalMD5/RSA

 (MD5 with RSA encryption [both on the token])

Uses the mechanism CKM_MD5_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated on the token.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_SignUpdate

 C_SignFinal

 C_VerifyInit

 C_VerifyUpdate

 C_VerifyFinal

 InternalMD5withRSA

 InternalSHA/RSA

 (SHA-1 with RSA encryption [both on the token])

Uses the mechanism CKM_SHA1_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated on the token.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_SignUpdate

 C_SignFinal

 C_VerifyInit

 C_VerifyUpdate

 C_VerifyFinal

 InternalSHAwithRSA

 InternalSHA1withRSA

 InternalSHA256/RSA

 (SHA-256 with RSA encryption [both on the token])

Uses the mechanism CKM_SHA256_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated on the token.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_SignUpdate

 C_SignFinal

 C_VerifyInit

 C_VerifyUpdate

 C_VerifyFinal

 InternalSHA256withRSA

 InternalSHA384/RSA

 (SHA-384 with RSA encryption [both on the token])

Uses the mechanism CKM_SHA384_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated on the token.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_SignUpdate

 C_SignFinal

 C_VerifyInit

 C_VerifyUpdate

 C_VerifyFinal

 InternalSHA384withRSA

 InternalSHA512/RSA

 (SHA-512 with RSA encryption [both on the token])

Uses the mechanism CKM_SHA512_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated on the token.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_SignUpdate

 C_SignFinal

 C_VerifyInit

 C_VerifyUpdate

 C_VerifyFinal

 InternalSHA512withRSA

 InternalSHA/RSA/X9.31

 (SHA-1 with X9.31 RSA signature [both on the token])

Uses the mechanism CKM_SHA1_RSA_X9_31 of the underlying PKCS#11 module. The hash is calculated on the token. X9.31 is an ANSI standard.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_SignUpdate

 C_SignFinal

 C_VerifyInit

 C_VerifyUpdate

 C_VerifyFinal

 InternalSHAwithX9_31RSA

 InternalSHA1withX9_31RSA

 InternalSHA/RSA/PSS

 (SHA-1 with RSA signing and PSS padding [all on the token])

Uses the mechanism CKM_SHA1_RSA_PKCS_PSS of the underlying PKCS#11 module. The hash is calculated on the token. PSS padding is defined in PKCS#1 version 2.1.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_SignUpdate

 C_SignFinal

 C_VerifyInit

 C_VerifyUpdate

 C_VerifyFinal

 InternalSHAwithPssRSA

 InternalSHA1withPssRSA

 InternalSHAwithRSAandMGF1

 InternalSHA1withRSAandMGF1

 InternalSHA256/RSA/PSS

 (SHA-256 with RSA signing and PSS padding [all on the token])

Uses the mechanism CKM_SHA256_RSA_PKCS_PSS of the underlying PKCS#11 module. The hash is calculated on the token. PSS padding is defined in PKCS#1 version 2.1.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_SignUpdate

 C_SignFinal

 C_VerifyInit

 C_VerifyUpdate

 C_VerifyFinal

 InternalSHA256withPssRSA

 InternalSHA256withRSAandMGF1

 InternalSHA384/RSA/PSS

 (SHA-384 with RSA signing and PSS padding [all on the token])

Uses the mechanism CKM_SHA384_RSA_PKCS_PSS of the underlying PKCS#11 module. The hash is calculated on the token. PSS padding is defined in PKCS#1 version 2.1.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_SignUpdate

 C_SignFinal

 C_VerifyInit

 C_VerifyUpdate

 C_VerifyFinal

 InternalSHA384withPssRSA

 InternalSHA384withRSAandMGF1

 InternalSHA512/RSA/PSS

 (SHA-512 with RSA signing and PSS padding [all on the token])

Uses the mechanism CKM_SHA512_RSA_PKCS_PSS of the underlying PKCS#11 module. The hash is calculated on the token. PSS padding is defined in PKCS#1 version 2.1.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_SignUpdate

 C_SignFinal

 C_VerifyInit

 C_VerifyUpdate

 C_VerifyFinal

 InternalSHA512withPssRSA

 InternalSHA512withRSAandMGF1

 InternalRipeMd128/RSA

 (RipeMd128 with RSA encryption [both on the token])

Uses the mechanism CKM_RIPEMD128_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated on the token.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_SignUpdate

 C_SignFinal

 C_VerifyInit

 C_VerifyUpdate

 C_VerifyFinal

 InternalRipeMd128withRSA

 InternalRipeMd160/RSA

 (RipeMd160 with RSA encryption [both on the token])

Uses the mechanism CKM_RIPEMD160_RSA_PKCS of the underlying PKCS#11 module. The hash is calculated on the token.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_SignUpdate

 C_SignFinal

 C_VerifyInit

 C_VerifyUpdate

 C_VerifyFinal

 InternalRipeMd160withRSA

 InternalSHA/DSA

 (SHA-1 with DSA [both on the token])

Uses the mechanism CKM_DSA_SHA1 of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_SignUpdate

 C_SignFinal

 C_VerifyInit

 C_VerifyUpdate

 C_VerifyFinal

 

 InternalSHA/ECDSA

 (SHA-1 with EC-DSA [both on the token])

Uses the mechanism CKM_ECDSA_SHA1 of the underlying PKCS#11 module. The hash is calculated in software inside the provider.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_SignUpdate

 C_SignFinal

 C_VerifyInit

 C_VerifyUpdate

 C_VerifyFinal

 

 RawRSA

 (raw RSA encryption [on the token] without hashing and without padding)

Uses the mechanism CKM_RSA_X_509 of the underlying PKCS#11 module. This algorithm does not calculate a hash at all, it just signs what it gets. The input data must already be appropriately padded; e.g. it must have the length of the modulus of the used key but if interpreted as an integer with most significant byte first, it must be less than the modulus.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 RawRSA/X.509

 RawRSA/PKCS1

 (raw RSA encryption [on the token] without hashing but with PKCS#1 padding)

Uses the mechanism CKM_RSA_PKCS of the underlying PKCS#11 module. This algorithm does not calculate a hash at all, it just signs what it gets. The application must provide a hash value wrapped in a DigestInfo object as input.

 The PKCS padding is defined in PKCS#1 version 1.5.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

RSAforSSL

 RawRSA/ISO9796

 (raw RSA encryption [on the token] without hashing but with ISO/IEC 9796 padding)

Uses the mechanism CKM_RSA_PKCS of the underlying PKCS#11 module. This algorithm does not calculate a hash at all, it just signs what it gets. The application must provide a hash value as input.

 The ISO/IEC 9796 is an ISO and IEC standard.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 

 RawRSA/PSS

 (raw RSA encryption [on the token] without hashing but with PSS padding)

Uses the mechanism CKM_RSA_PKCS_PSS of the underlying PKCS#11 module. This algorithm does not calculate a hash at all, it just signs what it gets. The application must provide a hash value as input.

 The PSS padding is defined in PKCS#1 version 2.1.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 

 RawRSA/X9.31

 (raw RSA encryption [on the token] according to X9.31 without hashing but partial padding)

Uses the mechanism CKM_RSA_X9_31 of the underlying PKCS#11 module. This algorithm does not calculate a hash. The application must provide a hash value with the appropriate X9.31 trailer as input. For instance, the trailer for SHA-1 is 0x33 0xCC. The input to this signature algorithm will consist of 22 bytes - 20 bytes SHA-1 hash and two bytes trailer (0x33 0xCC). X9.31 is an ANSI standard.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 

 RawDSA

 (raw DSA signing [on the token] without hashing)

Uses the mechanism CKM_DSA of the underlying PKCS#11 module. This algorithm does not calculate a hash at all, it just signs what it gets. The input data must be 20 bytes in length; e.g. a SHA-1 hash value.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 

 RawECDSA

 (raw EC-DSA signing [on the token] without hashing)

Uses the mechanism CKM_ECDSA of the underlying PKCS#11 module. This algorithm does not calculate a hash at all, it just signs what it gets.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_VerifyInit

 C_Verify

 

Key-Pair Generators

 KeyPairGenerator keyGen = KeyPairGenerator.getInstance( <Standard Name> | <Alias >, <provider name >);

Standard Name

Used PKCS#11 Mechanism

Used PKCS#11 Functions

Aliases

 RSA

 (RSA Key-Pair Generator)

Uses the mechanism CKM_RSA_PKCS_KEY_PAIR_GEN of the underlying PKCS#11 module.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKeyPair

 

 RSA/X9.31

 (RSA Key-Pair Generator)

Uses the mechanism CKM_RSA_X9_31_KEY_PAIR_GEN of the underlying PKCS#11 module.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKeyPair

 SHA-1/RSA/X9.31

 SHAwithX9_31RSA

 SHA1withX9_31RSA

 PKCS11/SHA/RSA/X9.31

 DSA

 (DSA Key-Pair Generator)

Uses the mechanism CKM_DSA_KEY_PAIR_GEN of the underlying PKCS#11 module.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKeyPair

 1.3.14.3.2.12

 1.2.840.10040.4.1

 ECDSA

 (EC-DSA Key-Pair Generator)

Uses the mechanism CKM_ECDSA_KEY_PAIR_GEN (CKM_EC_KEY_PAIR_GEN) of the underlying PKCS#11 module.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKeyPair

 EC

 ECDH

 DH

 (Diffie-Hellman Key-Pair Generator)

Uses the mechanism CKM_DH_PKCS_KEY_PAIR_GEN of the underlying PKCS#11 module.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKeyPair

 DiffieHellman

 DH/X9.42

 (X9.42 Diffie-Hellman Key-Pair Generator)

Uses the mechanism CKM_X9_42_DH_KEY_PAIR_GEN of the underlying PKCS#11 module. X9.42 is an ANSI standard.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKeyPair

 

 KEA

 (NIST's Key Exchange Algorithm Key-Pair Generator)

Uses the mechanism CKM_KEA_KEY_PAIR_GEN of the underlying PKCS#11 module.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKeyPair

 

Key Factories

 KeyFactory keyFac = KeyFactory.getInstance( <Standard Name> | <Alias >, <provider name >);

Standard Name

Used PKCS#11 Mechanism

Used PKCS#11 Functions

Aliases

 RSA

 (RSA Key Factory)

Creates a new key object on a PKCS#11 token. The provided specification object holds a key template and the token to use.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_CreateObject

 C_GetAttributeValue

 1.2.840.113549.1.1.1

 1.2.840.113549.1.1.2

 1.2.840.113549.1.1.4

 1.2.840.113549.1.1.5

 1.3.36.3.3.1.1.1

 1.3.14.3.2.29

 1.3.36.3.3.1.2

 1.3.36.3.3.1.3

 DSA

 (DSA Key Factory)

Creates a new key object on a PKCS#11 token. The provided specification object holds a key template and the token to use.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_CreateObject

 C_GetAttributeValue

 1.3.14.3.2.12

 1.2.840.10040.4.1

 1.3.14.3.2.13

 1.3.14.3.2.27

 1.2.840.10040.4.3

 DH

 (Diffie-Hellman Key Factory)

Creates a new key object on a PKCS#11 token. The provided specification object holds a key template and the token to use.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_CreateObject

 C_GetAttributeValue

 DiffieHellman

 ECDSA

 (Elliptic Curve Key Factory)

Creates a new key object on a PKCS#11 token. The provided specification object holds a key template and the token to use.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_CreateObject

 C_GetAttributeValue

EC

ECDH

 Ciphers
 (1)
 

 Cipher cipher = Cipher.getInstance( <Standard Name> | <Alias >, <provider name >);

Standard Name

Used PKCS#11 Mechanism

Used PKCS#11 Functions(2)

Aliases

 RSA

 (Rivest Shamir Adleman Cipher)

 This cipher supports ECB mode only. It uses different mechanisms of the underlying PKCS#11 module denpending on the set padding. Used PKCS#11 mechanisms are:

  • CKM_RSA_X_509 (with padding: NoPadding and RawX509; e.g. RSA/ECB/NoPadding)
  • CKM_RSA_PKCS (with padding: Pkcs1Padding; e.g. RSA/ECB/Pkcs1Padding)
  • CKM_RSA_PKCS_OAEP (with padding: OaepPadding and OAEP; e.g. RSA/ECB/OaepPadding)
  • CKM_RSA_9796 (with padding: ISO9796Padding and ISO9796; e.g. RSA/ECB/ISO9796Padding)

 If this cipher is used in encryption mode with a private key,

 it uses the C_SignInit and C_Sign of the PKCS#11 module;

 i.e. it behaves like a cipher engine to the application but like a signature engine to the token.

 The situation is similar for public keys. With a public key used for decryption,

 this class uses C_VerifyRecoverInit and C_VerifyRecover of the PKCS#11 module.

 C_EncryptInit

 C_Encrypt

 C_DecryptInit

 C_Decrypt

 C_SignInit

 C_Sign

 C_VerifyRecoverInit

 C_VerifyRecover

 C_Unwrap

 C_Wrap

 

 DES

 (Data Encryption Standard Cipher)

 This cipher supports ECB and CBC mode. It uses different mechanisms of the underlying PKCS#11 module denpending on the set padding. Used PKCS#11 mechanisms are:

  • CKM_DES_ECB (with padding: NoPadding; e.g. DES/ECB/NoPadding)
  • CKM_DES_CBC (with padding: NoPadding; e.g. DES/CBC/NoPadding)
  • CKM_DES_CBC_PAD (with padding: Pkcs5Padding; e.g. DES/CBC/Pkcs5Padding)

 C_EncryptInit

 C_Encrypt

 C_EncryptUpdate

 C_EncryptFinal

 C_DecryptInit

 C_Decrypt

 C_DecryptUpdate

 C_DecryptFinal

 C_Unwrap

 C_Wrap

 

 DESede

 (Triple DES Cipher)

 This cipher supports ECB and CBC mode. It uses different mechanisms of the underlying PKCS#11 module denpending on the set padding. Used PKCS#11 mechanisms are:

  • CKM_DES3_ECB (with padding: NoPadding; e.g. DESede/ECB/NoPadding)
  • CKM_DES3_CBC (with padding: NoPadding; e.g. DESede/CBC/NoPadding)
  • CKM_DES3_CBC_PAD (with padding: Pkcs5Padding; e.g. DESede/CBC/Pkcs5Padding)

 C_EncryptInit

 C_Encrypt

 C_EncryptUpdate

 C_EncryptFinal

 C_DecryptInit

 C_Decrypt

 C_DecryptUpdate

 C_DecryptFinal

 C_Unwrap

 C_Wrap

 3DES

 TripleDES

 RC2

 (Ron's Code 2; Rivest Cipher 2)

 Uses different mechanisms of the underlying PKCS#11 module denpending on the set padding. Used PKCS#11 mechanisms are:

  • CKM_RC2_ECB (with padding: NoPadding; e.g. RC2/ECB/NoPadding)
  • CKM_RC2_CBC (with padding: NoPadding; e.g. RC2/CBC/NoPadding)
  • CKM_RC2_CBC_PAD (with padding: Pkcs5Padding; e.g. RC2/CBC/Pkcs5Padding)

 C_EncryptInit

 C_Encrypt

 C_EncryptUpdate

 C_EncryptFinal

 C_DecryptInit

 C_Decrypt

 C_DecryptUpdate

 C_DecryptFinal

 C_Unwrap

 C_Wrap

 

 RC4

 (Ron's Code 4; Rivest Cipher 4)

This is a stream cipher, and thus it does not support modes and paddings However, NONE as mode name and NoPadding as padding name are accepted. It uses the CKM_RC4 PKCS#11 mechanism of the underlying token.

 C_EncryptInit

 C_Encrypt

 C_EncryptUpdate

 C_EncryptFinal

 C_DecryptInit

 C_Decrypt

 C_DecryptUpdate

 C_DecryptFinal

 C_Unwrap

 C_Wrap

 

 RC5

 (Ron's Code 5; Rivest Cipher 5)

 This cipher supports ECB and CBC mode. It uses different mechanisms of the underlying PKCS#11 module denpending on the set padding. Used PKCS#11 mechanisms are:

  • CKM_RC5_ECB (with padding: NoPadding; e.g. RC5/ECB/NoPadding)
  • CKM_RC5_CBC (with padding: NoPadding; e.g. RC5/CBC/NoPadding)
  • CKM_RC5_CBC_PAD (with padding: Pkcs5Padding; e.g. RC5/CBC/Pkcs5Padding)

 C_EncryptInit

 C_Encrypt

 C_EncryptUpdate

 C_EncryptFinal

 C_DecryptInit

 C_Decrypt

 C_DecryptUpdate

 C_DecryptFinal

 C_Unwrap

 C_Wrap

 

 IDEA

 (International Data Encryption Algorithm)

 This cipher supports ECB and CBC mode. It uses different mechanisms of the underlying PKCS#11 module denpending on the set padding. Used PKCS#11 mechanisms are:

  • CKM_IDEA_ECB (with padding: NoPadding; e.g. IDEA/ECB/NoPadding)
  • CKM_IDEA_CBC (with padding: NoPadding; e.g. IDEA/CBC/NoPadding)
  • CKM_IDEA_CBC_PAD (with padding: Pkcs5Padding; e.g. IDEA/CBC/Pkcs5Padding)

 C_EncryptInit

 C_Encrypt

 C_EncryptUpdate

 C_EncryptFinal

 C_DecryptInit

 C_Decrypt

 C_DecryptUpdate

 C_DecryptFinal

 C_Unwrap

 C_Wrap

 

 CAST

 (Carlisle Adams and Stafford Tavares)

 This cipher supports ECB and CBC mode. It uses different mechanisms of the underlying PKCS#11 module denpending on the set padding. Used PKCS#11 mechanisms are:

  • CKM_CAST_ECB (with padding: NoPadding; e.g. CAST/ECB/NoPadding)
  • CKM_CAST_CBC (with padding: NoPadding; e.g. CAST/CBC/NoPadding)
  • CKM_CAST_CBC_PAD (with padding: Pkcs5Padding; e.g. CAST/CBC/Pkcs5Padding)

 C_EncryptInit

 C_Encrypt

 C_EncryptUpdate

 C_EncryptFinal

 C_DecryptInit

 C_Decrypt

 C_DecryptUpdate

 C_DecryptFinal

 C_Unwrap

 C_Wrap

 

 CAST3

 (Carlisle Adams and Stafford Tavares 3)

 This cipher supports ECB and CBC mode. It uses different mechanisms of the underlying PKCS#11 module denpending on the set padding. Used PKCS#11 mechanisms are:

  • CKM_CAST3_ECB (with padding: NoPadding; e.g. CAST3/ECB/NoPadding)
  • CKM_CAST3_CBC (with padding: NoPadding; e.g. CAST3/CBC/NoPadding)
  • CKM_CAST3_CBC_PAD (with padding: Pkcs5Padding; e.g. CAST3/CBC/Pkcs5Padding)

 C_EncryptInit

 C_Encrypt

 C_EncryptUpdate

 C_EncryptFinal

 C_DecryptInit

 C_Decrypt

 C_DecryptUpdate

 C_DecryptFinal

 C_Unwrap

 C_Wrap

 

 CAST128

 (Carlisle Adams and Stafford Tavares 128)

 This cipher supports ECB and CBC mode. It uses different mechanisms of the underlying PKCS#11 module denpending on the set padding. Used PKCS#11 mechanisms are:

  • CKM_CAST128_ECB (with padding: NoPadding; e.g. CAST128/ECB/NoPadding)
  • CKM_CAST128_CBC (with padding: NoPadding; e.g. CAST128/CBC/NoPadding)
  • CKM_CAST128_CBC_PAD (with padding: Pkcs5Padding; e.g. CAST128/CBC/Pkcs5Padding)

 C_EncryptInit

 C_Encrypt

 C_EncryptUpdate

 C_EncryptFinal

 C_DecryptInit

 C_Decrypt

 C_DecryptUpdate

 C_DecryptFinal

 C_Unwrap

 C_Wrap

 CAST5

 AES

 (Advanced Encryption Standard Cipher)

 This cipher supports ECB and CBC mode. It uses different mechanisms of the underlying PKCS#11 module denpending on the set padding. Used PKCS#11 mechanisms are:

  • CKM_AES_ECB (with padding: NoPadding; e.g. AES/ECB/NoPadding)
  • CKM_AES_CBC (with padding: NoPadding; e.g. AES/CBC/NoPadding)
  • CKM_AES_CBC_PAD (with padding: Pkcs5Padding; e.g. AES/CBC/Pkcs5Padding)

 C_EncryptInit

 C_Encrypt

 C_EncryptUpdate

 C_EncryptFinal

 C_DecryptInit

 C_Decrypt

 C_DecryptUpdate

 C_DecryptFinal

 C_Unwrap

 C_Wrap

 

Key Agreement Algorithms

 KeyAgreement keyAgr = KeyAgreement.getInstance( <Standard Name> | <Alias >, <provider name >);

Standard Name

Used PKCS#11 Mechanism

Used PKCS#11 Functions

Aliases

 DH

 (Diffie Hellman)

Uses the CKM_DH_PKCS_DERIVE mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 DiffieHellman

 1.2.840.113549.1.3.1

 ECDH

Uses the CKM_ECDH1_DERIVE/CKM_ECDH1_COFACTOR_DERIVE mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 ECDiffieHellman

 DH/X9.42

Uses the CKM_X9_42_DH_DERIVE mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 X942DH

 X9.42DH

 DiffieHellman/X9.42

Message Authentication Codes (MACs)

 MAC mac = MAC.getInstance( <Standard Name> | <Alias >, <provider name >);

Standard Name

Used PKCS#11 Mechanism

Used PKCS#11 Functions

Aliases

 HMAC/MD2

 (HMAC with MD2)

Uses the CKM_MD2_HMAC/CKM_MD2_HMAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 HmacMD2

 HMAC/MD5

 (HMAC with MD5)

Uses the CKM_MD5_HMAC/CKM_MD5_HMAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 HmacMD5

 HMAC/SHA-1

 1.3.6.1.5.5.8.1.1

 HMAC/SHA

 (HMAC with SHA-1)

Uses the CKM_SHA_1_HMAC/CKM_SHA_1_HMAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 HmacSHA1

 HMAC/SHA-1

 1.3.6.1.5.5.8.1.2

 1.2.840.113549.2.7

 HMAC/SHA256

 (HMAC with SHA-256)

Uses the CKM_SHA256_HMAC/CKM_SHA256_HMAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 HMAC/SHA-256

 HMAC/SHA384

 (HMAC with SHA-384)

Uses the CKM_SHA384_HMAC/CKM_SHA384_HMAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 HMAC/SHA-384

 HMAC/SHA512

 (HMAC with SHA-512)

Uses the CKM_SHA512_HMAC/CKM_SHA512_HMAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 HMAC/SHA-512

 HMAC/RipeMd128

 (HMAC with RipeMd128)

Uses the CKM_RIPEMD128_HMAC/CKM_RIPEMD128_HMAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 HmacRipeMd128

 HMAC/RipeMd-128

 HMAC/RipeMd160

 (HMAC with RipeMd160)

Uses the CKM_RIPEMD160_HMAC/CKM_RIPEMD160_HMAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 HmacRipeMd160

 HMAC/RipeMd-160

 1.3.6.1.5.5.8.1.4

 MAC/MD5/SSL3

Uses the CKM_SSL3_MD5_MAC mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

 

 MAC/SHA1/SSL3

Uses the CKM_SSL3_SHA1_MAC mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

MAC/SHA-1/SSL3

 MAC/DES

 (MAC with DES)

Uses the CKM_DES_MAC/CKM_DES_MAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 MacDES

 DESMac

 MAC/DESede

 (MAC with Triple-DES)

Uses the CKM_DES3_MAC/CKM_DES3_MAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 MacDESede

 Mac3DES

 MacTripleDES

 TripleDESMac

 Mac/TripleDES

 Mac/3DES

 MAC/IDEA

 (MAC with IDEA)

Uses the CKM_IDEA_MAC/CKM_IDEA_MAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 MacIDEA

 IDEAMac

 MAC/RC2

 (MAC with RC2)

Uses the CKM_RC2_MAC/CKM_RC2_MAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 MacRC2

 RC2Mac

 MAC/RC5

 (MAC with RC5)

Uses the CKM_RC5_MAC/CKM_RC5_MAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 MacRC5

 RC5Mac

 MAC/CAST

 (MAC with CAST)

Uses the CKM_CAST_MAC/CKM_CAST_MAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 MacCAST

 CASTMac

 MAC/CAST3

 (MAC with CAST3)

Uses the CKM_CAST3_MAC/CKM_CAST3_MAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 MacCAST3

 CAST3Mac

 MAC/CAST128

 (MAC with CAST128)

Uses the CKM_CAST128_MAC/CKM_CAST128_MAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 MacCAST128

 CAST128Mac

 MAC/CAST5

 MacCAST5

 CAST5Mac

 MAC/AES

 (MAC with AES)

Uses the CKM_AES_MAC/CKM_AES_MAC_GENERAL mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_SignInit

 C_Sign

 C_SignUpdate

 C_SignFinal

 MacAES

 AESMac

Key Generators

 KeyGenerator keyGen = KeyGenerator.getInstance( <Standard Name> | <Alias >, <provider name >);

Standard Name

Used PKCS#11 Mechanism

Used PKCS#11 Functions

Aliases

 DES

 (Data Encryption Standard)

Uses the CKM_DES_KEY_GEN mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

 

 DES2

 (Two key Triple DES)

Uses the CKM_DES2_KEY_GEN mechanism of PKCS#11.

 The generated key can be used with a

 DESede (Triple DES) cipher.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

 

 DESede

 (Three key Triple DES)

Uses the CKM_DES3_KEY_GEN mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

 TripleDES

 3DES

 IDEA

 (International Data Encryption Algorithm)

Uses the CKM_IDEA_KEY_GEN mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

 

 RC2

 (Ron's Code 2; Rivest Cipher 2)

Uses the CKM_RC2_KEY_GEN mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

 

 RC4

 (Ron's Code 4; Rivest Cipher 4)

Uses the CKM_RC4_KEY_GEN mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

 

 RC5

 (Ron's Code 5; Rivest Cipher 5)

Uses the CKM_RC5_KEY_GEN mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

 

 CAST

 (Carlisle Adams and Stafford Tavares)

Uses the CKM_CAST_KEY_GEN mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

 

 CAST3

 (Carlisle Adams and Stafford Tavares 3)

Uses the CKM_CAST3_KEY_GEN mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

 

 CAST128

 (Carlisle Adams and Stafford Tavares 128)

Uses the CKM_CAST128_KEY_GEN mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

 CAST5

 GenericSecret

 (Generic Secret Key)

Uses the CKM_GENERIC_SECRET_KEY_GEN mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

 

 AES

 (Advanced Encryption Standard)

Uses the CKM_AES_KEY_GEN mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

 

 SSL3/PreMaster

Uses the CKM_SSL3_PRE_MASTER_KEY_GEN mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

 

 SSL3Derivation

Uses the CKM_SSL3_MASTER_KEY_DERIVE mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_GenerateKey

 

 AESDerivation/CBC

Uses the CKM_AES_CBC_ENCRYPT_DATA mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 

 AESDerivation/ECB

Uses the CKM_AES_ECB_ENCRYPT_DATA mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 

 DESDerivation/CBC

Uses the CKM_DES_CBC_ENCRYPT_DATA mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 

 DESDerivation/ECB

Uses the CKM_DES_ECB_ENCRYPT_DATA mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 

 DES3Derivation/CBC

Uses the CKM_DES3_CBC_ENCRYPT_DATA mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 

 DES3Derivation/ECB

Uses the CKM_DES3_ECB_ENCRYPT_DATA mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 

 SSL3KeyAndMacDerivation

Uses the CKM_SSL3_KEY_AND_MAC_DERIVE mechanism of PKCS#11.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 

 MD2Derivation

 (MD2 Key Derivation)

Uses the CKM_MD2_KEY_DERIVATION mechanism of PKCS#11. It generates a new key using an existing base key and applying the message digest to it.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 

 MD5Derivation

 (MD5 Key Derivation)

Uses the CKM_MD5_KEY_DERIVATION mechanism of PKCS#11. It generates a new key using an existing base key and applying the message digest to it.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 

 SHA1Derivation

 (SHA-1 Key Derivation)

Uses the CKM_SHA1_KEY_DERIVATION mechanism of PKCS#11. It generates a new key using an existing base key and applying the message digest to it.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 

 SHA256Derivation

 (SHA-256 Key Derivation)

Uses the CKM_SHA256_KEY_DERIVATION mechanism of PKCS#11. It generates a new key using an existing base key and applying the message digest to it.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 

 SHA384Derivation

 (SHA-384 Key Derivation)

Uses the CKM_SHA384_KEY_DERIVATION mechanism of PKCS#11. It generates a new key using an existing base key and applying the message digest to it.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 

 SHA512Derivation

 (SHA-512 Key Derivation)

Uses the CKM_SHA512_KEY_DERIVATION mechanism of PKCS#11. It generates a new key using an existing base key and applying the message digest to it.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_GetAttributeValue

 C_DeriveKey

 

Secret Key Factories

 SecretKeyFactory skf = SecretKeyFactory.getInstance( <Standard Name> | <Alias >, <provider name >);

Standard Name

Used PKCS#11 Mechanism

Used PKCS#11 Functions

Aliases

 DES

 (Data Encryption Standard)

Creates a new key object on a PKCS#11 token. The provided specification object holds a key template and the token to use.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_CreateObject

 C_GetAttributeValue

 

 DESede

 (Triple DES)

Creates a new key object on a PKCS#11 token. The provided specification object holds a key template and the token to use.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_CreateObject

 C_GetAttributeValue

 TripleDES

 3DES

 IDEA

 (International Data Encryption Algorithm)

Creates a new key object on a PKCS#11 token. The provided specification object holds a key template and the token to use.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_CreateObject

 C_GetAttributeValue

 

 RC2

 (Ron's Code 2; Rivest Cipher 2)

Creates a new key object on a PKCS#11 token. The provided specification object holds a key template and the token to use.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_CreateObject

 C_GetAttributeValue

 

 RC4

 (Ron's Code 4; Rivest Cipher 4)

Creates a new key object on a PKCS#11 token. The provided specification object holds a key template and the token to use.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_CreateObject

 C_GetAttributeValue

 

 RC5

 (Ron's Code 5; Rivest Cipher 5)

Creates a new key object on a PKCS#11 token. The provided specification object holds a key template and the token to use.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_CreateObject

 C_GetAttributeValue

 

 CAST

 (Carlisle Adams and Stafford Tavares)

Creates a new key object on a PKCS#11 token. The provided specification object holds a key template and the token to use.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_CreateObject

 C_GetAttributeValue

 

 CAST3

 (Carlisle Adams and Stafford Tavares 3)

Creates a new key object on a PKCS#11 token. The provided specification object holds a key template and the token to use.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_CreateObject

 C_GetAttributeValue

 

 CAST128

 (Carlisle Adams and Stafford Tavares 128)

Creates a new key object on a PKCS#11 token. The provided specification object holds a key template and the token to use.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_CreateObject

 C_GetAttributeValue

 CAST5

 AES

 (Advanced Encryption Standard)

Creates a new key object on a PKCS#11 token. The provided specification object holds a key template and the token to use.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_CreateObject

 C_GetAttributeValue

 

 Generic

 (Generic Secret Keys)

Creates a new key object on a PKCS#11 token. The provided specification object holds a key template and the token to use.

 C_OpenSession

 C_CloseSession

 C_GetSessionInfo

 C_Login

 C_CreateObject

 C_GetAttributeValue

 

Key Stores

 KeyStore keyStore = KeyStore.getInstance( <Standard Name> | <Alias >, <provider name >);

Standard Name

Used PKCS#11 Mechanism

Used PKCS#11 Functions

Aliases

 PKCS11SingleTokenKeyStore

 (Key Store for one PKCS#11 Token)

Holds the keys and certificates of a single PKCS#11 token. The key store supports setting new key and certificate entries, if the underlying token is writable.

 C_OpenSession

 C_CloseSession

 C_GetTokenInfo

 C_GetSessionInfo

 C_Login

 C_Logout

 C_CreateObject

 C_CopyObject

 C_DestroyObject

 C_GetAttributeValue

 C_SetAttributeValue

 C_FindObjectsInit

 C_FindObjects

 C_FindObjectsFinal

 PKCS11KeyStore

 PKCS11

 FastPKCS11KeyStore

 (Key Store for one PKCS#11 Token not checking for external changes)

Holds the keys and certificates of a single PKCS#11 token. The key store supports setting new key and certificate entries, if the underlying token is writable.

 Changes to the token (removed or replaced) or to token entries by external tools are not recognized.

 C_OpenSession

 C_CloseSession

 C_GetTokenInfo

 C_GetSessionInfo

 C_Login

 C_Logout

 C_CreateObject

 C_CopyObject

 C_DestroyObject

 C_GetAttributeValue

 C_SetAttributeValue

 C_FindObjectsInit

 C_FindObjects

 C_FindObjectsFinal

 FastPKCS11

Secure Random

 SecureRandom randomGenerator = SecureRandom.getInstance( <Standard Name> | <Alias >, <provider name >);

Standard Name

Used PKCS#11 Mechanism

Used PKCS#11 Functions

Aliases

 PKCS11

 Secure Random Data Generator using a PKCS#11 Token

 This implementation of the SecureRandomSpi uses a PKCS#11 token to generate random data. If this object is created using the default constructor, and this is always the case when instantiated through the JCA mechanism, this implementation always links to the first instance of IAIKPkcs11; this means, it uses the token in the slot of the first provider instance to generate random data. The only way to link to a different instance is to instantiate the iaik.pkcs.pkcs11.provider.random.PKCS11Random class directly and to specify the provider to work with.

 This implementation gets all random data directly from the token - seed bytes and random bytes.

 If there is no token present at creation time of this object, or if the present token does not support random number generation, this implementation uses a software delegate to process all requests. Per default, the SHA1PRNG algorithm is used for the software delegate.

 C_OpenSession

 C_CloseSession

 C_GetTokenInfo

 C_GetSessionInfo

 C_Login

 C_GenerateRandom

 C_SeedRandom

 

 PKCS11Seeded

 Secure Random Data Generator using a PKCS#11 Token for the seed.

This implementation of the SecureRandomSpi uses a PKCS#11 token to generate random data. If this object is created using the default constructor, and this is always the case when instantiated through the JCA mechanism, this implementation always links to the first instance of IAIKPkcs11; this means, it uses the token in the slot of the first provider instance to generate random data. The only way to link to a different instance is to instantiate the iaik.pkcs.pkcs11.provider.random.PKCS11Random class directly and to specify the provider to work with.

 This implementation gets random data from a software implementation and gets seed bytes directly from the token. It does not send any seed bytes to the token. Moreover, it automatically gets 1024 bits of seed from the token upon the first request for random data. If more seed data is required, the application can get more seed data from this object and subsequently set it to this engine object.

 If there is no token present at creation time of this object, or if the present token does not support random number generation, this implementation uses a software delegate to process all requests. Per default, the SHA1PRNG algorithm is used for the software delegate.

 C_OpenSession

 C_CloseSession

 C_GetTokenInfo

 C_GetSessionInfo

 C_Login

 C_GenerateRandom

 C_SeedRandom

 

 PKCS11NoSetSeed

 Secure Random Data Generator using a PKCS#11 Token, but does not send any seed to the token.

 This implementation of the SecureRandomSpi uses a PKCS#11 token to generate random data. An implementation of the SecureRandomSpi that uses a PKCS#11 token to generate random data and seeds. It operates like the PKCS11 random (iaik.pkcs.pkcs11.provider.random.PKCS11RandomSpi class), but does not try to write (set) any seed to the token. This implementation can be used, if the underlying token supports random generation but cannot be seeded externally.

 C_OpenSession

 C_CloseSession

 C_GetTokenInfo

 C_GetSessionInfo

 C_Login

 C_GenerateRandom

 C_SeedRandom

 

1) This provider supports the following cipher modes and padding schemes:

 General Usage:


   Cipher cipher = Cipher.getInstance("Cipher/Operation Mode/Padding Scheme");

 

 for instance:


 Cipher des = Cipher.getInstance("DES/CBC/PKCS5Padding", "IAIK PKCS#11:1");

 Cipher rsa = Cipher.getInstance("RSA/ECB/PKCS1Padding", "IAIK PKCS#11:1");

 

Cipher Modes (default: ECB)

Name

Specification

ECB (Electronic Code Book)

"DES MODES OF OPERATION", NIST FIPS PUB 81

CBC (Cipher Block Chaining, for block ciphers only)

"DES MODES OF OPERATION", NIST FIPS PUB 81

Padding Schemes (default: NoPadding)

Name

Specification

NoPadding (No Padding, for all ciphers)

This means that the application must ensure that the input is a multiple of the block size.

PKCS5Padding (PKCS#5 Padding, only for block ciphers)

All block ciphers use this padding in CBC mode per default. Padding scheme as described in specified by PKCS#5

PKCS1Padding (only for RSA cipher)

padding scheme as specified by PKCS#1 v1.5

OAEP (only for RSA cipher)

padding scheme as specified by PKCS#1 v2.0 and IEEE P1363

ISO9796 (only for RSA cipher)

padding scheme as specified by ISO/IEC 9796 and its annex A.

2)

 The ciphers do not use the update and final functions (this is

 C_EncryptUpdate,

 C_EncryptFinal,

 C_DecryptUpdate,

 C_DecryptFinal,

 C_SignUpdate,

 C_SignFinal) of PKCS#11 unless the applications calls a Cipher.update(...) function.

 Instead, it uses the single operation functions (this is

 C_Encrypt,

 C_Decrypt,

 C_Sign).

 

print Print