6.7. PKCS#11 Standalone Library¶
PKCS#11 is a Public-Key Cryptography Standard for cryptographic data manipulation. It is mainly used with Hardware Security Modules and smart cards.
PKCS#11 standalone library is supported with SE05x for Linux based platforms.
6.7.1. Building on Linux/Raspberry Pi3¶
PKCS#11 standalone shared library can be built on Linux platforms and Raspberry Pi3.
Build PKCS#11 library for Raspberry pi 3 with the following CMake configurations:
RTOS_Default: ONWithHostCrypto_MBEDTLS: ONWithmbedTLS_ALT_SSS: ONProject:
sss_pkcs11
Note
The PKCS#11 library is not completely standalone as mbedTLS library is also used for parsing data.
6.7.2. PKCS#11 specifications¶
- Token Label
SSS_PKCS11
- Pin
Not required
- Supported Mechanisms
- RSA Mechanisms
CKM_RSA_PKCS
CKM_SHA1_RSA_PKCS
CKM_SHA224_RSA_PKCS
CKM_SHA256_RSA_PKCS
CKM_SHA384_RSA_PKCS
CKM_SHA512_RSA_PKCS
CKM_RSA_PKCS_PSS
CKM_SHA1_RSA_PKCS_PSS
CKM_SHA224_RSA_PKCS_PSS
CKM_SHA256_RSA_PKCS_PSS
CKM_SHA384_RSA_PKCS_PSS
CKM_SHA512_RSA_PKCS_PSS
CKM_RSA_PKCS_OAEP
- AES Mechanisms
CKM_AES_ECB
CKM_AES_CBC
CKM_AES_CTR
- Digest Mechanisms
CKM_SHA_1
CKM_SHA224
CKM_SHA256
CKM_SHA384
CKM_SHA512
- ECDSA Mechanisms
CKM_ECDSA
CKM_ECDSA_SHA1
- Key Generation Mechanisms
CKM_EC_KEY_PAIR_GEN
CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_AES_KEY_GEN
CKM_DES2_KEY_GEN
CKM_DES3_KEY_GEN
- Key Derivation Mechanisms
CKM_ECDH1_DERIVE
6.7.3. Using with pkcs11-tool¶
Generating new keypair:
pkcs11-tool --module $PKCS11_MODULE --keypairgen --key-type rsa:1024 --label "sss:20202020"
Signing:
pkcs11-tool --module $PKCS11_MODULE --sign --label sss:20181001 -m SHA256-RSA-PKCS --slot 1 -i in.der -o signature.der
Decryption:
pkcs11-tool --module $PKCS11_MODULE --decrypt --label sss:20202020 -m SHA256-RSA-PKCS --slot 1 -i in.der -o decrypt.der
Hashing:
pkcs11-tool --module $PKCS11_MODULE --hash -m SHA256 -i in.der -o hash.der
