6.7. PKCS#11 Standalone Library

PKCS#11 is a Public-Key Cryptography Standard for cryptographic data manipulation. It is mainly used with Hardware Security Modules and smart cards.

PKCS#11 standalone library is supported with SE05x for Linux based platforms.

6.7.1. Building on Linux/Raspberry Pi3

PKCS#11 standalone shared library can be built on Linux platforms and Raspberry Pi3.

Build PKCS#11 library for Raspberry pi 3 with the following CMake configurations:

  • RTOS_Default: ON

  • WithHostCrypto_MBEDTLS: ON

  • WithmbedTLS_ALT_SSS: ON

  • Project: sss_pkcs11

Note

The PKCS#11 library is not completely standalone as mbedTLS library is also used for parsing data.

6.7.2. PKCS#11 specifications

Token Label

SSS_PKCS11

Pin

Not required

Supported Mechanisms
  • RSA Mechanisms
    • CKM_RSA_PKCS

    • CKM_SHA1_RSA_PKCS

    • CKM_SHA224_RSA_PKCS

    • CKM_SHA256_RSA_PKCS

    • CKM_SHA384_RSA_PKCS

    • CKM_SHA512_RSA_PKCS

    • CKM_RSA_PKCS_PSS

    • CKM_SHA1_RSA_PKCS_PSS

    • CKM_SHA224_RSA_PKCS_PSS

    • CKM_SHA256_RSA_PKCS_PSS

    • CKM_SHA384_RSA_PKCS_PSS

    • CKM_SHA512_RSA_PKCS_PSS

    • CKM_RSA_PKCS_OAEP

  • AES Mechanisms
    • CKM_AES_ECB

    • CKM_AES_CBC

    • CKM_AES_CTR

  • Digest Mechanisms
    • CKM_SHA_1

    • CKM_SHA224

    • CKM_SHA256

    • CKM_SHA384

    • CKM_SHA512

  • ECDSA Mechanisms
    • CKM_ECDSA

    • CKM_ECDSA_SHA1

  • Key Generation Mechanisms
    • CKM_EC_KEY_PAIR_GEN

    • CKM_RSA_PKCS_KEY_PAIR_GEN

    • CKM_AES_KEY_GEN

    • CKM_DES2_KEY_GEN

    • CKM_DES3_KEY_GEN

  • Key Derivation Mechanisms
    • CKM_ECDH1_DERIVE

6.7.3. Using with pkcs11-tool

Generating new keypair:

pkcs11-tool --module $PKCS11_MODULE --keypairgen --key-type rsa:1024 --label "sss:20202020"

Signing:

pkcs11-tool --module $PKCS11_MODULE --sign --label sss:20181001 -m SHA256-RSA-PKCS --slot 1 -i in.der -o signature.der

Decryption:

pkcs11-tool --module $PKCS11_MODULE --decrypt --label sss:20202020 -m SHA256-RSA-PKCS --slot 1 -i in.der -o decrypt.der

Hashing:

pkcs11-tool --module $PKCS11_MODULE --hash -m SHA256 -i in.der -o hash.der