PKCS#11 – Supported Mechanism – Function Table per Token


CCPLEX Token Table (Safety and Dynamic):

Mechanism type	Allowed operations	Allowed key types (Used by or supplied to the mechanism)	Allowed key sizes (Used by or supplied to the mechanism)	Update allowed (True means data supplied over multiple parts supported)	Notes
CKM_SHA256	CKF_DIGEST			True
CKM_SHA384	CKF_DIGEST			True
CKM_SHA512	CKF_DIGEST			True
CKM_SHA3_256	CKF_DIGEST			True
CKM_SHA3_384	CKF_DIGEST			True
CKM_SHA3_512	CKF_DIGEST			True
CKM_SHA256_HMAC	CKF_SIGN CKF_VERIFY CKF_MESSAGE_SIGN CKF_MESSAGE_VERIFY	CKK_GENERIC_SECRET	32B	False	QNX only NIST [FIPS 180-4] NIST [FIPS 198-1]
CKM_AES_CBC	CKF_ENCRYPT CKF_DECRYPT CKF_MESSAGE_ENCRYPT CKF_MESSAGE_DECRYPT CKF_WRAP CKF_UNWRAP	CKK_AES	16B 32B	True	NIST [SP 800-38A] NIST [FIPS 197]
CKM_AES_CBC_PAD	CKF_ENCRYPT CKF_DECRYPT CKF_MESSAGE_ENCRYPT CKF_MESSAGE_DECRYPT	CKK_AES	16B 32B	True	NIST [SP 800-38A] NIST [FIPS 197]
CKM_AES_CTR	CKF_ENCRYPT CKF_DECRYPT CKF_MESSAGE_ENCRYPT CKF_MESSAGE_DECRYPT	CKK_AES	16B 32B	True	NIST [SP 800-38A] NIST [FIPS 197]
CKM_AES_GCM	CKF_UNWRAP CKF_ENCRYPT CKF_DECRYPT CKF_MESSAGE_ENCRYPT CKF_MESSAGE_DECRYPT	CKK_AES	16B 32B	False	NIST [SP 800-38D], supporting 96-bit IVs of fixed length NIST [FIPS 197]
CKM_AES_CMAC	CKF_SIGN CKF_VERIFY CKF_MESSAGE_SIGN CKF_MESSAGE_VERIFY	CKK_AES	16B 32B	False	NIST [SP 800-38B] NIST [FIPS 197]
CKM_AES_GMAC	CKF_MESSAGE_SIGN CKF_MESSAGE_VERIFY	CKK_AES	16B 32B	True	NIST [SP 800-38D] NIST [FIPS 197]
CKM_RSA_PKCS_PSS	CKF_VERIFY	CKK_RSA		False	using RSA with 3072 and 4096-bit key sizes, and secure hash algorithms SHA-256, SHA-384 and SHA-512 [FIPS 180-4] for both the hash algorithm and Mask Generating Function (MGF1) [PKCS1-v2.2]
CKM_ECDSA	CKF_SIGN CKF_VERIFY	CKK_EC		False	curve secp256r1 [SEC2-V2] using secure hash algorithm SHA-256 [FIPS 180-4]
CKM_EDDSA	CKF_SIGN CKF_VERIFY	CKK_EC_EDWARDS		False	curve Ed25519ph [RFC 8032] curve Ed25519 [RFC 8032]
CKM_SP800_108_COUNTER_KDF	CKF_DERIVE	CKK_AES CKK_GENERIC_SECRET	16B 32B		using CKM_AES_CMAC [FIPS 197] using CKM_SHA256_HMAC [FIPS 198-1][FIPS 180-4]
CKM_ECDH1_DERIVE	CKF_DERIVE	CKK_EC CKK_EC_MONTGOMERY			Deriving either a CKK_GENERIC_SECRET or CKK_AES. Curve25519 or secp256r1. Only valid with private base key. Not valid for token (persistent) derived keys
CKM_AES_KEY_GEN	CKF_GENERATE				Returning 16 or 32 byte keys
CKM_EC_EDWARDS_KEY_PAIR_GEN	CKF_GENERATE_KEY_PAIR				generate EC public/private key pairs over the curve Ed25519
CKM_EC_MONTGOMERY_KEY_PAIR_GEN	CKF_GENERATE_KEY_PAIR				generate EC public/private key pairs over the curve 25519
CKM_GENERIC_SECRET_KEY_GEN	CKF_GENERATE				Returning 16 or 32 byte keys
CKM_EC_KEY_PAIR_GEN	CKF_GENERATE_KEY_PAIR				Generate EC public/private key pairs over the curve secp256r1 FIPS 186-4 Appendix B.4.2
CKM_NVIDIA_AES_CBC_KEY_DATA_WRAP	CKF_WRAP	CKK_AES	16B 32B		Custom mechanism intended for camera use
CKM_NVIDIA_SP800_56C_TWO_STEPS_KDF	CKF_DERIVE	CKK_AES CKK_GENERIC_SECRET	16B 32B		Custom mechanism intended for camera use
CKM_NVIDIA_MACSEC_AES_KEY_WRAP	CKF_WRAP CKF_UNWRAP	CKK_AES			Custom mechanism for use with MACSEC Only supported on CCPLEX 13
CKM_NVIDIA_PSC_AES_CMAC	CKF_SIGN CKF_VERIFY CKF_MESSAGE_SIGN CKF_MESSAGE_VERIFY	CKK_AES	16B 32B	False	Custom mechanism for use with MACSEC Only supported on CCPLEX 13
CKM_TLS12_MASTER_KEY_DERIVE_DH	CKF_DERIVE	CKK_GENERIC_SECRET			using CKM_SHA256_HMAC deriving 384-bit key size. Only use with ECDH outputs as base key. Not valid for token (persistent) base or derived keys
CKM_TLS12_KDF	CKF_DERIVE	CKK_GENERIC_SECRET	48B		using CKM_SHA256_HMAC with a CKK_GENERIC_SECRET key of 48B (384 bits) deriving 128-bit or 256-bit key sizes. Not valid for token (persistent) base or derived keys
CKM_TLS12_MAC	CKF_SIGN CKF_VERIFY	CKK_GENERIC_SECRET	48B	False
CKM_TLS12_KEY_AND_MAC_DERIVE	CKF_DERIVE	CKK_GENERIC_SECRET	48B		using CKM_SHA256_HMAC with a CKK_GENERIC_SECRET key of 48B (384 bits) deriving 128-bit or 256-bit key sizes. Not valid for token (persistent) base or derived keys
CKM_TLS12_KEY_SAFE_DERIVE	CKF_DERIVE	CKK_GENERIC_SECRET	48B		using CKM_SHA256_HMAC with a CKK_GENERIC_SECRET key of 48B (384 bits) deriving 128-bit or 256-bit key sizes. Not valid for token (persistent) base or derived keys
CKM_NVIDIA_AES_GCM_KEY_UNWRAP	CKF_UNWRAP	CKK_AES	16B 32B


TSEC Dynamic Token Table

Mechanism type	Allowed operations	Allowed key types (Used by or supplied to the mechanism)	Allowed key sizes (Used by or supplied to the mechanism)	Update allowed (True means data supplied over multiple parts supported)	Notes
CKM_SP800_108_COUNTER_KDF	CKF_DERIVE	CKK_AES CKK_GENERIC_SECRET	16B		using CKM_AES_CMAC [FIPS 197]
CKM_AES_GCM	CKF_UNWRAP	CKK_AES	16B
CKM_NVIDIA_AES_GCM_KEY_UNWRAP	CKF_UNWRAP	CKK_AES	16B


TSEC Safety Token Table

Mechanism type	Allowed operations	Allowed key types (Used by or supplied to the mechanism)	Allowed key sizes (Used by or supplied to the mechanism)	Update allowed (True means data supplied over multiple parts supported)	Notes
CKM_AES_CMAC	CKF_SIGN CKF_VERIFY	CKK_AES	16B	False	NIST [SP 800-38B] NIST [FIPS 197]


FSI Dynamic Token Table

Mechanism type	Allowed operations	Allowed key types (Used by or supplied to the mechanism)	Allowed key sizes (Used by or supplied to the mechanism)	Update allowed (True means data supplied over multiple parts supported)	Notes
CKM_SP800_108_COUNTER_KDF	CKF_DERIVE	CKK_AES CKK_GENERIC_SECRET	16B 32B		using CKM_AES_CMAC [FIPS 197] using CKM_SHA256_HMAC [FIPS 198-1][FIPS 180-4]
CKM_AES_KEY_GEN	CKF_GENERATE				Returning 16 or 32 byte keys
CKM_GENERIC_SECRET_KEY_GEN	CKF_GENERATE				Returning 16 or 32 byte keys
CKM_AES_GCM	CKF_UNWRAP	CKK_AES	16B 32B
CKM_NVIDIA_AES_GCM_KEY_UNWRAP	CKF_UNWRAP	CKK_AES	16B 32B
CKM_EC_EDWARDS_KEY_PAIR_GEN	CKF_GENERATE_KEY_PAIR				generate EC public/private key pairs over the curve Ed25519
CKM_EC_MONTGOMERY_KEY_PAIR_GEN	CKF_GENERATE_KEY_PAIR				generate EC public/private key pairs over the curve 25519
CKM_EC_KEY_PAIR_GEN	CKF_GENERATE_KEY_PAIR				Generate EC public/private key pairs over the curve secp256r1 FIPS 186-4 Appendix B.4.2
CKM_ECDH1_DERIVE	CKF_DERIVE	CKK_EC CKK_EC_MONTGOMERY			Deriving either a CKK_GENERIC_SECRET or CKK_AES. Curve25519 or secp256r1. Only valid with Private base key. Not valid for token (persistent) derived keys