PKCS#11 – Supported Attributes

Create EC and RSA Public Key Attributes Support

The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being created.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for the specific key type.

No

Indicates that PKCS#11 library does not support the attribute for the specific key type.

Read-only

The attribute is set to read-only for the specific key type.

An empty cell in Default Value column indicates no specific value is assigned to the attribute.

(Result of library function)

Indicates that the attribute value is determined by the PKCS#11 library.
C_CreateObject
Attributes KeyTypes Default Values Note
EC Public RSA Public

CKA_CLASS

Yes

Yes

?CKO_PUBLIC_KEY

Mandatory template attribute.

CKA_TOKEN

Yes

Yes

FALSE

 -

CKA_PRIVATE

Read-only

Read-only

TRUE

NVIDIA limitation. All objects are private.

CKA_LABEL

Yes

Yes

?

CKA_VALUE

No

No

?

?

CKA_TRUSTED

Read-only

Read-only

FALSE

NVIDIA limitation. Cannot create a trusted wrapping key at runtime.

CKA_CHECK_VALUE

No

No

?

?

CKA_KEY_TYPE

Yes

Yes

?

Mandatory template attribute.

CKA_SUBJECT

No

No

NVIDIA limitation. Attribute not supported.?

CKA_ID

Yes

Yes

?

Mandatory template .

CKA_SENSITIVE

No

No

?

?

CKA_ENCRYPT

Read-only

Read-only

FALSE

NVIDIA limitation. Public key encryption is not supported.

CKA_DECRYPT

No

No

CKA_WRAP

Read-only

Read-only

FALSE

NVIDIA limitation. Public key wrap is not supported.

CKA_UNWRAP

No

No

CKA_SIGN

No

No

CKA_VERIFY

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules

CKA_VERIFY_RECOVER

No

No

?

NVIDIA limitation. Attribute not supported.

CKA_DERIVE

Read-only

Read-only

FALSE

NVIDIA limitation. Cannot derive from a Public key.

CKA_START_DATE

Yes

Yes

?

CKA_END_DATE

Yes

Yes

?

CKA_MODULUS

No

Yes

?

Mandatory template attribute.

CKA_MODULUS_BITS

No

Read-only

(Result of library function)

Must not be template attribute.

CKA_PUBLIC_EXPONENT

No

Yes

?

Mandatory template attribute.

CKA_PUBLIC_KEY_INFO

No

No

?

NVIDIA limitation. Attribute not supported.

CKA_VALUE_LEN

No

No

?

?

CKA_EXTRACTABLE

No

No

?

?

CKA_LOCAL

Read-only

Read-only

FALSE

Must not be template attribute.

CKA_NEVER_EXTRACTABLE

No

No

?

?

CKA_ALWAYS_SENSITIVE

No

No

?

?

CKA_KEY_GEN_MECHANISM

Read-only

Read-only

CK_UNAVAILABLE_INFORMATION

Due to CKA_LOCAL set FALSE.

CKA_MODIFIABLE

Yes

Yes

TRUE

?

CKA_COPYABLE

Yes

Yes

TRUE

CKA_DESTROYABLE

Yes

Yes

TRUE

?

CKA_EC_PARAMS

Yes

No

?

Mandatory template attribute.

CKA_EC_POINT

Yes

No

?

Mandatory template attribute.

CKA_WRAP_WITH_TRUSTED

No

No

CKA_WRAP_TEMPLATE

No

No

?

?NVIDIA limitation. Not supported.

CKA_UNWRAP_TEMPLATE

No

No

?

?

CKA_ALLOWED_MECHANISMS

Yes

Yes

Mandatory template attribute.
CKA_NVIDIA_CALLER_NONCE No No

Create Secret Key Attributes Support

The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being created.

Table Entry Meaning
Yes Indicates that PKCS#11 library supports the attribute for the specific key type.
No Indicates that PKCS#11 library does not support the attribute for the specific key type.
Read-only The attribute is set to read-only for the specific key type.
An empty cell in Default Value column indicates there is no specific value assigned to the attribute.
(Result of library function) Indicates that the PKCS#11 library determines the attribute value.
C_CreateObject
Attributes Key Type Default Value Note
Generic Secret AES
CKA_CLASS Yes Yes CKO_SECRET_KEY Mandatory template attribute.
CKA_TOKEN Yes Yes FALSE
CKA_PRIVATE Read-only Read-only TRUE NVIDIA limitation. All objects are private.
CKA_LABEL Yes Yes
CKA_VALUE Yes Yes Mandatory template attribute.
CKA_TRUSTED Read-only Read-only FALSE NVIDIA limitation. Cannot create a trusted wrapping key at runtime.
CKA_CHECK_VALUE No No NVIDIA limitation. Attribute not supported.
CKA_KEY_TYPE Yes Yes Mandatory template attribute.
CKA_SUBJECT No No NVIDIA limitation. Attribute not supported.
CKA_ID Yes Yes Mandatory template attribute.
CKA_SENSITIVE Read-only Read-only TRUE NVIDIA limitation. No access to secret key material.
CKA_ENCRYPT No Yes FALSE NVIDIA limitation. Observe single purpose rules.
CKA_DECRYPT No Yes FALSE NVIDIA limitation. Observe single purpose rules.
CKA_WRAP No Yes FALSE
CKA_UNWRAP No Yes FALSE NVIDIA limitation. Observe single purpose rules.
CKA_SIGN Yes Yes FALSE NVIDIA limitation. Observe single purpose rules.
CKA_VERIFY Yes Yes FALSE NVIDIA limitation. Observe single purpose rules.
CKA_VERIFY_RECOVER No No
CKA_DERIVE Yes Yes FALSE NVIDIA limitation. Observe single purpose rules.
CKA_START_DATE Yes Yes
CKA_END_DATE Yes Yes
CKA_MODULUS No No
CKA_MODULUS_BITS No No
CKA_PUBLIC_EXPONENT No No
CKA_PUBLIC_KEY_INFO No No
CKA_VALUE_LEN Read-only Read-only (Result of library function) Must not be template attribute.
CKA_EXTRACTABLE Yes Yes FALSE
CKA_LOCAL Read-only Read-only FALSE Must not be template attribute.
CKA_NEVER_EXTRACTABLE Read-only Read-only FALSE Must not be template attribute.
CKA_ALWAYS_SENSITIVE Read-only Read-only FALSE Must not be template attribute.
CKA_KEY_GEN_MECHANISM Read-only Read-only CK_UNAVAILABLE_INFORMATION Due to CKA_LOCAL set FALSE.
CKA_MODIFIABLE Yes Yes TRUE
CKA_COPYABLE Yes Yes TRUE
CKA_DESTROYABLE Yes Yes TRUE
CKA_EC_PARAMS No No
CKA_EC_POINT No No
CKA_WRAP_WITH_TRUSTED Yes Yes FALSE
CKA_WRAP_TEMPLATE No No NVIDIA limitation. Not supported
CKA_UNWRAP_TEMPLATE No No NVIDIA limitation. Not supported.
CKA_ALLOWED_MECHANISMS Yes Yes Mandatory template attribute.
CKA_NVIDIA_CALLER_NONCE Read-only Read-only FALSE

Generate Secret Key Attributes Support

The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being generated.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for the specific key type.

No

Indicates that PKCS#11 library does not support the attribute for the specific key type.

Read-only

The attribute is set to read-only for the specific key type.

An empty cell in the Default Value column indicates there is no specific value assigned to the attribute.

(Result of library function)

Indicates that the attribute value is determined by the PKCS#11 library.
C_GenerateKey
Attributes Key Type Default Value Note
Generic Secret AES

CKA_CLASS

Read-only

Read-only

CKO_SECRET_KEY

Implied by generation mechanism.

Cannot be changed.

CKA_TOKEN

Yes

Yes

FALSE

CKA_PRIVATE

Read-only

Read-only

TRUE

NVIDIA limitation. All objects are private.

CKA_LABEL

Yes

Yes

?

CKA_VALUE

Read-only

Read-only

(Result of library function)

Is set by mechanism.

CKA_TRUSTED

Read-only

Read-only

FALSE

NVIDIA limitation. Cannot create a trusted wrapping key at runtime.

CKA_CHECK_VALUE

No

No

?NVIDIA limitation. Attribute not supported.

CKA_KEY_TYPE

Read-only

Read-only

(Result of library function)

Is set by mechanism Cannot be changed.

CKA_SUBJECT

No

No

?

?

CKA_ID

Yes

Yes

?

Mandatory template attribute.

CKA_SENSITIVE

Read-only

Read-only

TRUE

NVIDIA limitation. No access to Secret key material.

CKA_ENCRYPT

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_DECRYPT

No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_WRAP

No

Yes

FALSE

CKA_UNWRAP

 No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_SIGN

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_VERIFY

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_VERIFY_RECOVER

No

No

?

?

CKA_DERIVE

Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_START_DATE

Yes

Yes

?

CKA_END_DATE

Yes

Yes

?

CKA_MODULUS

No

No

?

?

CKA_MODULUS_BITS

No

No

?

?

CKA_PUBLIC_EXPONENT

No

No

?

?

CKA_PUBLIC_KEY_INFO

No

No

?

?

CKA_VALUE_LEN

Yes

Yes

16

Mandatory template attribute.

CKA_EXTRACTABLE

Yes

Yes

FALSE

CKA_LOCAL

Read-only

Read-only

TRUE

Must not be template attribute.

CKA_NEVER_EXTRACTABLE

Read-only

Read-only

(Result of library function)

Must not be template attribute.

CKA_ALWAYS_SENSITIVE

Read-only

Read-only

TRUE

Must not be template attribute. NVIDIA limitation. No access to Secret key material.

CKA_KEY_GEN_MECHANISM

Read-only

Read-only

(Result of library function)

Must not be template attribute.

CKA_MODIFIABLE

Yes

Yes

TRUE

?

CKA_COPYABLE

Yes

Yes

TRUE

CKA_DESTROYABLE

Yes

Yes

TRUE

?

CKA_EC_PARAMS

No

No

?

?

CKA_EC_POINT

No

No

?

?

CKA_WRAP_WITH_TRUSTED

Yes

Yes

FALSE

CKA_WRAP_TEMPLATE

No

No

?

NVIDIA limitation. Not supported.

CKA_UNWRAP_TEMPLATE

No

No

?

NVIDIA limitation. Not supported.

CKA_ALLOWED_MECHANISMS

Yes

Yes

?Mandatory template attribute.
CKA_NVIDIA_CALLER_NONCE Read-only Read-only FALSE

Generate Public / Private Key Pair Attributes Support

The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being generated.

Table Entry Meaning
Yes Indicates that PKCS#11 library supports the attribute for the specific key type.
No Indicates that PKCS#11 library does not support the attribute for the specific key type.
Read-only The attribute is set to read-only for the specific key type.
An empty cell in Default Value column indicates there is no specific value assigned to the attribute.
(Result of library function) Indicates that the PKCS#11 library determines the attribute value.
C_GenerateKeyPair
Attributes Key Type Default Value Note
EC Public EC Private
CKA_CLASS Read-only Read-only (Result of library function)
CKA_TOKEN Yes Yes FALSE Same value for both templates.
CKA_PRIVATE Read-only Read-only TRUE NVIDIA limitation. All objects are private.
CKA_LABEL Yes Yes
CKA_VALUE No No
CKA_TRUSTED Read-only No FALSE NVIDIA limitation. Cannot create a trusted wrapping key at runtime.
CKA_CHECK_VALUE No No
CKA_KEY_TYPE Read-only Read-only (Result of library function)
CKA_SUBJECT No No NVIDIA limitation. Attribute not supported.
CKA_ID Yes Yes Mandatory template attribute, they must be identical.
CKA_SENSITIVE No Read-only TRUE NVIDIA limitation. No access to private key material.
CKA_ENCRYPT Read-only No FALSE NVIDIA limitation. Public key encryption is not supported.
CKA_DECRYPT No Read-only FALSE NVIDIA limitation. Private key decryption is not supported.
CKA_WRAP Read-only No FALSE NVIDIA limitation. Public key wrap is not supported.
CKA_UNWRAP No Read-only FALSE NVIDIA limitation. Private key unwrap is not supported.
CKA_SIGN No Yes FALSE NVIDIA limitation. Observe single purpose rules.
CKA_SIGN_RECOVER No No - NVIDIA limitation. Attribute not supported.
CKA_VERIFY Yes No FALSE NVIDIA limitation. Observe single purpose rules.
CKA_VERIFY_RECOVER No No - NVIDIA limitation. Attribute not supported.
CKA_DERIVE Read-only Yes FALSE NVIDIA limitation. Cannot derive from a public key.
CKA_START_DATE Yes Yes
CKA_END_DATE Yes Yes
CKA_MODULUS No No
CKA_MODULUS_BITS No No
CKA_PUBLIC_EXPONENT No No
CKA_PUBLIC_KEY_INFO No No NVIDIA limitation. Attribute not supported.
CKA_VALUE_LEN No No
CKA_EXTRACTABLE No Yes FALSE
CKA_LOCAL Read-only Read-only TRUE Must not be template attribute.
CKA_NEVER_EXTRACTABLE No Read-only (Result of library function) Must not be template attribute
CKA_ALWAYS_SENSITIVE No Read-only TRUE Must not be template attribute. NVIDIA limitation. No access to private key material.
CKA_KEY_GEN_MECHANISM Read-only Read-only (Result of library function) Must not be template attribute.
CKA_MODIFIABLE Yes Yes TRUE
CKA_COPYABLE Yes Yes TRUE
CKA_DESTROYABLE Yes Yes TRUE
CKA_EC_PARAMS Yes Read-only

Public key: mandatory template attribute.

Private key: must not be template attribute.
CKA_EC_POINT Read-only No (Result of library function)
CKA_WRAP_WITH_TRUSTED No Yes FALSE
CKA_WRAP_TEMPLATE No No NVIDIA limitation. Not supported.
CKA_UNWRAP_TEMPLATE No No NVIDIA limitation. Not supported.
CKA_ALLOWED_MECHANISMS Yes Yes Mandatory template attribute.
CKA_ALWAYS_AUTHENTICATE No No NVIDIA limitation. Not supported for private keys.
CKA_NVIDIA_CALLER_NONCE No No

Derive Secret Key Attributes Support

The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being derived.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for the specific key type.

No

Indicates that PKCS#11 library does not support the attribute for the specific key type.

Read-only

The attribute is set to read-only for the specific key type.

An empty cell in Default Value column indicates there is no specific value assigned to the attribute.

(Result of library function)

Indicates that the PKCS#11 library determines the attribute value.
C_DeriveKey ?
Attributes? Key Type Default Value? Note?
Generic Secret AES

CKA_CLASS

 Read-only

Read-only

CKO_SECRET_KEY

NVIDIA limitation. Can only derive a Secret key.

CKA_TOKEN

 Yes

Yes

FALSE

NVIDIA limitation. Can only derive a Token key from a Token key.

CKA_PRIVATE

 Read-only

Read-only

TRUE

NVIDIA limitation. All objects are private.

CKA_LABEL

 Yes

Yes

?

CKA_VALUE

 Read-only

Read-only

(Result of library function)

CKA_TRUSTED

 Read-only

Read-only

FALSE

NVIDIA limitation. Cannot create a trusted wrapping key at runtime.

CKA_CHECK_VALUE

 No

No

NVIDIA limitation. Not supported.

CKA_KEY_TYPE

 Yes

Yes

Mandatory template attribute.

CKA_SUBJECT

 No

No

?

?

CKA_ID

 Yes

Yes

?

Mandatory template attribute.

CKA_SENSITIVE

 Yes Yes

TRUE

NVIDIA limitation. Any Secret Key with CKA_SENSITIVE False cannot be used for cryptographic operations.

CKA_ENCRYPT

 No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_DECRYPT

 No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_WRAP

 No

Yes

FALSE

CKA_UNWRAP

 No

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_SIGN

 Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_VERIFY

 Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_VERIFY_RECOVER

 No

No

?

?

CKA_DERIVE

 Yes

Yes

FALSE

NVIDIA limitation. Observe single purpose rules.

CKA_START_DATE

 Yes

Yes

?

CKA_END_DATE

 Yes

Yes

?

CKA_MODULUS

 No

No

?

?

CKA_MODULUS_BITS

 No

No

?

?

CKA_PUBLIC_EXPONENT

 No

No

?

?

CKA_PUBLIC_KEY_INFO

 No

No

?

?

CKA_VALUE_LEN

 Yes

Yes

16

Mandatory template attribute.?

CKA_EXTRACTABLE

 Yes

Yes

FALSE

NVIDIA limitation. If the base key has its CKA_EXTRACTABLE attribute set to CK_FALSE, then the derived key will too

CKA_LOCAL

 Read-only

Read-only

FALSE

Must not be template attribute.

CKA_NEVER_EXTRACTABLE

 Read-only

Read-only

Inherited from base key depending on CKA_EXTRACTABLE history*

Must not be template attribute.

CKA_ALWAYS_SENSITIVE

 Read-only

Read-only

Inherited from base key depending on CKA_SENSITIVE history**

Must not be template attribute.

CKA_KEY_GEN_MECHANISM

 Read-only

Read-only

CK_UNAVAILABLE_INFORMATION

Due to CKA_LOCAL set FALSE

CKA_MODIFIABLE

 Yes

Yes

TRUE

?

CKA_COPYABLE

 Yes

Yes

TRUE

CKA_DESTROYABLE

 Yes

Yes

TRUE

?

CKA_EC_PARAMS

 No

No

?

?

CKA_EC_POINT

 No

No

?

?

CKA_WRAP_WITH_TRUSTED

 Yes

Yes

FALSE

CKA_WRAP_TEMPLATE

 No

No

?

NVIDIA limitation. Not supported.

CKA_UNWRAP_TEMPLATE

 No

No

?

NVIDIA limitation. Not supported.

CKA_ALLOWED_MECHANISMS

 Yes

Yes

?Mandatory template attribute
CKA_NVIDIA_CALLER_NONCE Yes Yes FALSE NVIDIA Extension May be TRUE only for encrypt/decrypt session keys derived using CKM_TLS12_KEY_AND_MAC_DERIVE or CKM_TLS12_KEY_SAFE_DERIVE

* If the base key has its CKA_NEVER_EXTRACTABLE attribute set to CK_FALSE, then the derived key will too. If the base key has its CKA_NEVER_EXTRACTABLE attribute set to CK_TRUE, then the derived key has its CKA_NEVER_EXTRACTABLE attribute set to the opposite value from its CKA_EXTRACTABLE attribute. If the base key has its CKA_EXTRACTABLE attribute set to CK_FALSE, then the derived key will too.

** If the base key has its CKA_ALWAYS_SENSITIVE attribute set to CK_FALSE, then the derived key will as well. If the base key has its CKA_ALWAYS_SENSITIVE attribute set to CK_TRUE, then the derived key has its CKA_ALWAYS_SENSITIVE attribute set to the same value as its CKA_SENSITIVE attribute.

Unwrap Key Attributes Support with CKM_NVIDIA_AES_GCM_KEY_UNWRAP

PKCS#11 library does not support Cryptoki attributes supplied within a template to be applied to the unwrapped key with CKM_AES_GCM mechanism. The key attributes are instead supplied via the optional Additional authenticated Data (AAD) input when CKM_NVIDIA_AES_GCM_KEY_UNWRAP mechanism is called with C_UnwrapKey.

This change uses a vendor-specific mechanism introduced at 6.0.8.1. It is backwards compatible for customers who already created unwrapping keys with CKM_AES_GCM as the supported mechanism, and where both CKM_AES_GCM and CKM_NVIDIA_AES_GCM_KEY_UNWRAP can coexist and be used.

How does this change affect the customer application? Depending on the combination of how the supported mechanism in the unwrapping key is named, and how the unwrapping mechanism is named when C_UnwrapKey is called, the PKCS#11 library reacts according to one of the four possible combinations, as shown below:

Unwrap Key Mechanism
CKM_AES_GCM CKM_NVIDIA_AES_GCM_KEY_UNWRAP
Supported mechanism in the unwrapping key CKM_AES_GCM

  • If pTemplate == NULL

    unwrap using CKM_NVIDIA_AES_GCM_KEY_UNWRAP

    Log ("Update unwrapping mechanism and key supported mechanisms")

  • If pTemplate != NULL

    return CKR_ARGUMENTS_BAD (not supported as of 6.0.8.1)

  • If pTemplate == NULL

    unwrap using CKM_NVIDIA_AES_GCM_KEY_UNWRAP

    Log("Update key supported mechanisms")

  • If pTemplate != NULL

    return CKR_ARGUMENTS_BAD
CKM_NVIDIA_AES_GCM_KEY_UNWRAP return CKR_MECHANISM_INVALID

  • If pTemplate == NULL

    unwrap using CKM_NVIDIA_AES_GCM_KEY_UNWRAP

  • If pTemplate != NULL

    return CKR_ARGUMENTS_BAD

A customer application provisioning keys using the original mechanism will still work with 6.0.8.1. The PKCS#11 Library issues an advisory log to update to the new vendor-specific mechanism naming scheme for that use case.

Unwrap Secret Key Attributes Support with CKM_AES_CBC

PKCS#11 library does support Cryptoki attributes supplied within a template to be applied to the unwrapped key with CKM_AES_CBC mechanism.

The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being created.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for the specific key type.

No

Indicates that PKCS#11 library does not support the attribute for the specific key type.

Read-only

The attribute is set to read-only for the specific key type.

An empty cell in Default Value column indicates that there is no specific value assigned to the attribute.

(Result of library function)

Indicates that the attribute value is determined by the PKCS#11 library
C_UnwrapKey
Attributes Key Type Default Value Note
Generic Secret AES
CKA_CLASS Yes Yes CKO_SECRET_KEY Mandatory template attribute.
CKA_TOKEN Read-only Read-only FALSE NVIDIA limitation. Only EPHEMERAL keys can be unwrapped if attribute template is supported.
CKA_PRIVATE Read-only Read-only TRUE NVIDIA limitation. All objects are private.
CKA_LABEL Yes Yes
CKA_VALUE No No
CKA_TRUSTED Read-only Read-only FALSE NVIDIA limitation. Cannot create a trusted wrapping key at runtime.
CKA_CHECK_VALUE No No NVIDIA limitation. Attribute not supported.
CKA_KEY_TYPE Yes Yes Mandatory template attribute.
CKA_SUBJECT No No NVIDIA limitation. Attribute not supported.
CKA_ID Yes Yes Mandatory template attribute.
CKA_SENSITIVE Read-only Read-only TRUE NVIDIA limitation. No access to secret key material.
CKA_ENCRYPT No Yes FALSE NVIDIA limitation. Observe single purpose rules.
CKA_DECRYPT No Yes FALSE NVIDIA limitation. Observe single purpose rules.
CKA_WRAP No Yes FALSE
CKA_UNWRAP No Yes FALSE NVIDIA limitation. Observe single purpose rules.
CKA_SIGN Yes Yes FALSE NVIDIA limitation. Observe single purpose rules.
CKA_VERIFY Yes Yes FALSE NVIDIA limitation. Observe single purpose rules.
CKA_VERIFY_RECOVER No No
CKA_DERIVE Yes Yes FALSE NVIDIA limitation. Observe single purpose rules.
CKA_START_DATE Yes Yes
CKA_END_DATE Yes Yes
CKA_MODULUS No No
CKA_MODULUS_BITS No No
CKA_PUBLIC_EXPONENT No No
CKA_PUBLIC_KEY_INFO No No
CKA_VALUE_LEN Yes Yes Mandatory template attribute.
CKA_EXTRACTABLE Yes Yes FALSE NVIDIA limitation. Default False on Unwrap.
CKA_LOCAL Read-only Read-only FALSE Must not be template attribute.
CKA_NEVER_EXTRACTABLE Read-only Read-only FALSE Must not be template attribute.
CKA_ALWAYS_SENSITIVE Read-only Read-only FALSE Must not be template attribute.
CKA_KEY_GEN_MECHANISM Read-only Read-only CK_UNAVAILABLE_INFORMATION Must not be template attribute.
CKA_MODIFIABLE Yes Yes TRUE
CKA_COPYABLE Yes Yes TRUE
CKA_DESTROYABLE Yes Yes TRUE
CKA_EC_PARAMS No No
CKA_EC_POINT No No
CKA_WRAP_WITH_TRUSTED Yes Yes FALSE
CKA_WRAP_TEMPLATE No No NVIDIA limitation. Not supported.
CKA_UNWRAP_TEMPLATE No No NVIDIA limitation. Not supported.
CKA_ALLOWED_MECHANISMS Yes Yes Mandatory template attribute.
CKA_NVIDIA_CALLER_NONCE Read-only Read-only FALSE

Unwrap Private Key Attributes Support with CKM_AES_CBC

The table below lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being created.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for the specific key type.

No

Indicates that PKCS#11 library does not support the attribute for the specific key type.

Read-only

The attribute is set to read-only for the specific key type.

An empty cell in Default Value column indicates that there is no specific value assigned to the attribute.

(Result of library function)

Indicates that the PKCS#11 library determines the attribute value.
C_UnwrapKey
Attributes Key Type Default Value Note
EC Private
CKA_CLASS Yes CKO_PRIVATE_KEY Mandatory template attribute.
CKA_TOKEN Read-only FALSE NVIDIA limitation. Only EPHEMERAL keys can be unwrapped if attribute template is supported.
CKA_PRIVATE Read-only TRUE NVIDIA limitation. All objects are private.
CKA_LABEL Yes
CKA_VALUE No
CKA_TRUSTED No
CKA_CHECK_VALUE No
CKA_KEY_TYPE Yes Mandatory template attribute.
CKA_SUBJECT No NVIDIA limitation. Attribute not supported.
CKA_ID Yes Mandatory template attribute.
CKA_SENSITIVE Read-only TRUE NVIDIA limitation. No access to private key material.
CKA_ENCRYPT No
CKA_DECRYPT Read-only FALSE NVIDIA limitation. Private key decryption is not supported.
CKA_WRAP No
CKA_UNWRAP Read-only FALSE NVIDIA limitation. Private key unwrap is not supported.
CKA_SIGN Yes FALSE NVIDIA limitation. Observe single purpose rules.
CKA_VERIFY No
CKA_VERIFY_RECOVER No
CKA_DERIVE Yes FALSE NVIDIA limitation. Observe single purpose rules.
CKA_START_DATE Yes
CKA_END_DATE Yes
CKA_MODULUS No
CKA_MODULUS_BITS No
CKA_PUBLIC_EXPONENT No
CKA_PUBLIC_KEY_INFO No
CKA_VALUE_LEN No
CKA_EXTRACTABLE Yes FALSE NVIDIA limitation. Default False on Unwrap.
CKA_LOCAL Read-only FALSE Must not be template attribute.
CKA_NEVER_EXTRACTABLE Read-only FALSE Must not be template attribute.
CKA_ALWAYS_SENSITIVE Read-only FALSE Must not be template attribute.
CKA_KEY_GEN_MECHANISM Read-only CK_UNAVAILABLE_INFORMATION Must not be template attribute.
CKA_MODIFIABLE Yes TRUE
CKA_COPYABLE Yes TRUE
CKA_DESTROYABLE Yes TRUE
CKA_EC_PARAMS Yes Mandatory template attribute.
CKA_EC_POINT No
CKA_WRAP_WITH_TRUSTED Yes FALSE
CKA_WRAP_TEMPLATE No
CKA_UNWRAP_TEMPLATE No NVIDIA limitation. Not supported
CKA_ALLOWED_MECHANISMS Yes Mandatory template attribute
CKA_NVIDIA_CALLER_NONCE No

Copy Key Attributes Support

The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type being copied.

Table Entry

Meaning

Yes

Indicates that PKCS#11 library supports the attribute for the specific key type.

No

Indicates that PKCS#11 library does not support the attribute for the specific key type.

Read-only

The attribute is set to read-only for the specific key type.

An empty cell in Default Value column indicates that there is no specific value assigned to the attribute.

(Result of library function)

Indicates that the PKCS#11 library determines the attribute value.
C_CopyObject
Attributes Key Type Default Value Note
EC Private EC Public RSA Public Generic Secret AES

CKA_CLASS

 Read-only

Read-only

Read-only

 Read-only

Read-only

Inherited from Object being copied

CKA_TOKEN

 Read-only

Read-only

Read-only

 Read-only

Read-only

Inherited from Object being copied

NVIDIA limitation. A token key cannot be copied into a session key or vice versa.

CKA_PRIVATE

 Read-only

Read-only

Read-only

 Read-only

Read-only

Inherited from Object being copied

CKA_LABEL

 Yes

Yes

Yes

 Yes

Yes

Inherited from Object being copied

?

CKA_VALUE

 No

No

No

 Read-only

Read-only

Inherited from Object being copied

CKA_TRUSTED

 No

Read-only

Read-only

 Read-only

Read-only

Inherited from Object being copied

CKA_CHECK_VALUE

 No

No

No

 No

No

?NVIDIA limitation. Attribute not supported.

CKA_KEY_TYPE

 Read-only

Read-only

Read-only

 Read-only

Read-only

Inherited from Object being copied

CKA_SUBJECT

 No

No

No

 No

No

NVIDIA limitation. Attribute not supported.

CKA_ID

 Yes

Yes

Yes

 Yes

Yes

?

Mandatory template attribute.

CKA_SENSITIVE

 Read-only

No

No

 Read-only

Read-only

Inherited from Object being copied

CKA_ENCRYPT

 No

Read only

Read only

 No

Read-only

Inherited from Object being copied

NVIDIA limitation. Key usage immutability.

CKA_DECRYPT

 Read-only

No

No

 No

Read-only

Inherited from Object being copied

NVIDIA limitation.? Key usage immutability.

CKA_WRAP

 No

Read-only

Read-only

 No

Read-only

Inherited from Object being copied

NVIDIA limitation. Key usage immutability.

CKA_UNWRAP

 Read-only

No

No

 No

Read-only

Inherited from Object being copied

NVIDIA limitation.? Key usage immutability.

CKA_SIGN

 Read-only

No

No

 Read-only

Read-only

Inherited from Object being copied

NVIDIA limitation.? Key usage immutability.
CKA_SIGN_RECOVER No No No No No NVIDIA limitation. Attribute not supported for private keys.

CKA_VERIFY

 No

Read-only

Read-only

 Read-only

Read-only

Inherited from Object being copied

NVIDIA limitation.? Key usage immutability.

CKA_VERIFY_RECOVER

 No

No

No

 No

No

?

NVIDIA limitation. Attribute not supported.

CKA_DERIVE

 Read-only

Read-only

Read-only

 Read-only

Read-only

Inherited from Object being copied

NVIDIA limitation.? Key usage immutability.

CKA_START_DATE

 Read-only

Read-only

Read-only

 Read-only

Read-only

Inherited from Object being copied

?

CKA_END_DATE

 Read-only

Read-only

Read-only

 Read-only

Read-only

Inherited from Object being copied

?

CKA_MODULUS

 No

No

Read-only

 No

No

Inherited from Object being copied

?

CKA_MODULUS_BITS

 No

No

Read-only

 No

No

Inherited from Object being copied

?

CKA_PUBLIC_EXPONENT

 No

No

Read-only

 No

No

Inherited from Object being copied

?

CKA_PUBLIC_KEY_INFO

 No

No

No

 No

No

NVIDIA limitation. Attribute not supported

CKA_VALUE_LEN

 No

No

No

 Read-only

Read-only

Inherited from Object being copied

?

CKA_EXTRACTABLE

 Read-only

No

No

 Read-only

Read-only

Inherited from Object being copied

CKA_LOCAL

 Read-only

Read-only

Read-only

 Read-only

Read-only

Inherited from Object being copied

CKA_NEVER_EXTRACTABLE

 Read-only

No

No

 Read-only

Read-only

Inherited from Object being copied

CKA_ALWAYS_SENSITIVE

 Read-only

No

No

 Read-only

Read-only

Inherited from Object being copied

CKA_KEY_GEN_MECHANISM

 Read-only

Read only

Read only

 Read-only

Read-only

Inherited from Object being copied

CKA_MODIFIABLE

 Read-only

Read-only

Read-only

 Read-only

Read-only

Inherited from Object being copied

?

CKA_COPYABLE

 Read-only

Read-only

Read-only

 Read-only

Read-only

Inherited from Object being copied

CKA_DESTROYABLE

 Read-only

Read-only

Read-only

 Read-only

Read-only

Inherited from Object being copied

?

CKA_EC_PARAMS

 Read-only

Read-only

No

 No

No

Inherited from Object being copied

?

CKA_EC_POINT

 No

Read-only

No

 No

No

Inherited from Object being copied

?

CKA_WRAP_WITH_TRUSTED

 Read-only

No

No

 Read-only

Read-only

Inherited from Object being copied

CKA_WRAP_TEMPLATE

 No

No

No

 No

No

?

NVIDIA limitation. Not supported.

CKA_UNWRAP_TEMPLATE

 No

No

No

 No

No

?

NVIDIA limitation. Not supported.

CKA_ALLOWED_MECHANISMS

 Read-only

Read-only

Read-only

 Read-only

Read-only

Inherited from Object being copied

?
CKA_ALWAYS_AUTHENTICATE No No No No No NVIDIA limitation. Not supported.
CKA_NVIDIA_USER_NONCE No No No Read-only Read-only Inherited from Object being copied

Set Attributes Support

Note:

Only a single attribute may be set at a time.

The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type operation.

Table Entry

Meaning

Yes

Indicates that PKCS#11 Library supports set attribute for the specific key type.

No

Indicates that PKCS#11 Library does not support set attribute for the specific key type.
C_SetAttributeValue
Attributes Key Type Note
EC Private EC Public RSA Public Generic Secret AES

CKA_LABEL

 Yes

Yes

Yes

 Yes

Yes

NVIDIA limitation. Set a single attribute at a time.

CKA_TRUSTED

 No

No

No

 No

No

NVIDIA limitation. Cannot create a trusted wrapping key at runtime.

CKA_CHECK_VALUE

 No

No

No

 No

No

NVIDIA limitation.

CKA_SUBJECT

 No

No

No

 No

No

NVIDIA limitation.

CKA_ID

 Yes

Yes

Yes

 Yes

Yes

NVIDIA limitation. Set a single attribute at a time.

CKA_SENSITIVE

 No

No

No

 No

No

NVIDIA limitation.

CKA_ENCRYPT

 No

No

No

 No

No

NVIDIA limitation. Observe single purpose immutability rule.

CKA_DECRYPT

 No

No

No

 No

No

NVIDIA limitation. Observe single purpose immutability rule.

CKA_WRAP

 No

No

No

 No

No

NVIDIA limitation. Observe single purpose immutability rule.

CKA_UNWRAP

 No

No

No

 No

No

NVIDIA limitation. Observe single purpose immutability rule.

CKA_SIGN

 No

No

No

 No

No

NVIDIA limitation. Observe single purpose immutability rule.
CKA_SIGN_RECOVER No No No No No NVIDIA limitation.

CKA_VERIFY

 No

No

No

 No

No

NVIDIA limitation. Observe single purpose immutability rule.

CKA_VERIFY_RECOVER

 No

No

No

 No

No

NVIDIA limitation.

CKA_DERIVE

 No

No

No

 No

No

NVIDIA limitation. Observe single purpose immutability rule.

CKA_START_DATE

 No

No

No

 No

No

NVIDIA limitation.

CKA_END_DATE

 No

No

No

 No

No

NVIDIA limitation.
CKA_PUBLIC_KEY_INFO No No No No No NVIDIA limitation.

CKA_EXTRACTABLE

 No

No

No

 No

No

NVIDIA limitation.
CKA_NVIDIA_USER_NONCE No

No

No

 No

No

Get Attributes Support?

The following table lists attributes that differ by key types. It indicates whether a given attribute in a template is supported for a particular key type.

Table Entry

Meaning

Yes

Indicates that PKCS#11 Library supports the attribute for the specific key type.

No

Indicates that PKCS#11 Library does not support the attribute for the specific key type.

No Get

Indicates that the attribute is sensitive and cannot be revealed.
C_GetAttributeValue
Attributes Key Type Note
EC Private EC Public RSA Public Generic Secret AES
CKA_CLASS Yes Yes Yes Yes Yes
CKA_TOKEN Yes Yes Yes Yes Yes
CKA_PRIVATE Yes Yes Yes Yes Yes
CKA_LABEL Yes Yes Yes Yes Yes
CKA_VALUE No No No No Get No Get NVIDIA limitation. Attribute always sensitive and not returned.
CKA_TRUSTED No Yes Yes Yes Yes
CKA_CHECK_VALUE No No No No No NVIDIA limitation. Attribute not supported.
CKA_KEY_TYPE Yes Yes Yes Yes Yes
CKA_SUBJECT No No No No No NVIDIA limitation. Attribute not supported.
CKA_ID Yes Yes Yes Yes Yes
CKA_SENSITIVE Yes No No Yes Yes
CKA_ENCRYPT No Yes Yes No Yes
CKA_DECRYPT Yes No No No Yes
CKA_WRAP No Yes Yes No Yes
CKA_UNWRAP Yes No No No Yes
CKA_SIGN Yes No No Yes Yes
CKA_SIGN_RECOVER No No No No No NVIDIA limitation. Attribute not supported for Private keys.
CKA_VERIFY No Yes Yes Yes Yes
CKA_VERIFY_RECOVER No No No No No NVIDIA limitation. Attribute not supported for public keys.
CKA_DERIVE Yes Yes Yes Yes Yes
CKA_START_DATE Yes Yes Yes Yes Yes
CKA_END_DATE Yes Yes Yes Yes Yes
CKA_MODULUS No No Yes No No
CKA_MODULUS_BITS No No Yes No No
CKA_PUBLIC_EXPONENT No No Yes No No
CKA_PUBLIC_KEY_INFO No No No No No NVIDIA limitation. Attribute not supported for public keys.
CKA_VALUE_LEN No No No Yes Yes
CKA_EXTRACTABLE Yes No No Yes Yes
CKA_LOCAL Yes Yes Yes Yes Yes
CKA_NEVER_EXTRACTABLE Yes No No Yes Yes
CKA_ALWAYS_SENSITIVE Yes No No Yes Yes
CKA_KEY_GEN_MECHANISM Yes Yes Yes Yes Yes Contains a valid value only if CKA_LOCAL is TRUE. Else is CK_UNAVAILABLE_INFORMATION.
CKA_MODIFIABLE Yes Yes Yes Yes Yes
CKA_COPYABLE Yes Yes Yes Yes Yes
CKA_DESTROYABLE Yes Yes Yes Yes Yes
CKA_EC_PARAMS Yes Yes No No No NVIDIA limitation. Contains CK_UNAVAILABLE_INFORMATION.
CKA_EC_POINT No Yes No No No
CKA_WRAP_WITH_TRUSTED Yes No No Yes Yes
CKA_WRAP_TEMPLATE No No No No No NVIDIA limitation. Not supported.
CKA_UNWRAP_TEMPLATE No No No No No NVIDIA limitation. Not supported.
CKA_ALLOWED_MECHANISMS Yes Yes Yes Yes Yes
CKA_ALWAYS_AUTHENTICATE No No No No No NVIDIA limitation. Not supported.
CKA_NVIDIA_USER_NONCE No No No Yes Yes

Create Data Object Attributes Support

The following table indicates whether a given attribute in a template is supported for a Data Object being created.

Table Entry Meaning
Yes Indicates that PKCS#11 library supports the attribute for a Data Object.
No Indicates that PKCS#11 library does not support the attribute for a Data Object.
Read-only The attribute is set to read-only for a Data Object.
An empty cell in Default Value column indicates that there is no specific value assigned to the attribute.
(Result of library function) Indicates that the attribute value is determined by the PKCS#11 library
C_CreateObject
Attributes Data Object Default Value Note
CKA_CLASS Yes CKO_DATA Mandatory template attribute.
CKA_TOKEN Yes FALSE
CKA_PRIVATE Read-only TRUE NVIDIA limitation. All objects are private.
CKA_LABEL Yes
CKA_VALUE Yes -
CKA_ID Yes - Mandatory template attribute.
CKA_VALUE_LEN Read-only (Result of library function) Must not be template attribute.
CKA_MODIFIABLE Yes TRUE
CKA_COPYABLE Yes TRUE
CKA_DESTROYABLE Yes TRUE
CKA_APPLICATION Yes
CKA_OBJECT_ID Yes

Copy Data Object Attributes Support

The table below indicates whether a given attribute in a template is supported for a Data Object being copied.

Table Entry Meaning
Yes Indicates that PKCS#11 library supports the attribute for a Data Object.
No Indicates that PKCS#11 library does not support the attribute for a Data Object.
Read-only The attribute is set to read-only for a Data Object.
An empty cell in Default Value column indicates that there is no specific value assigned to the attribute.
(Result of library function) Indicates that the PKCS#11 library determines the attribute value.
C_CopyObject
Attributes Data Object Default Value Note
CKA_CLASS Read-only Inherited from Object being copied -
CKA_TOKEN Read-only Inherited from Object being copied
CKA_PRIVATE Read-only Inherited from Object being copied -
CKA_LABEL Yes Inherited from Object being copied
CKA_VALUE Yes Inherited from Object being copied -
CKA_ID Yes - Mandatory template attribute.
CKA_VALUE_LEN Read-only Inherited from Object being copied -
CKA_MODIFIABLE Read-only Inherited from Object being copied
CKA_COPYABLE Read-only Inherited from Object being copied
CKA_DESTROYABLE Read-only Inherited from Object being copied
CKA_APPLICATION Read-only Inherited from Object being copied
CKA_OBJECT_ID Read-only Inherited from Object being copied

Set Data Object Attributes Support

The following table below indicates whether a given attribute in a template is supported for a Data Object set attribute operation after being created.

Table Entry Meaning
Yes Indicates that PKCS#11 library supports set attribute for a Data Object.
No Indicates that PKCS#11 library does not support set attribute for a Data Object.
C_SetAttributeValue
Attributes Data Object Note
CKA_LABEL Yes NVIDIA limitation. Set a single attribute at a time.
CKA_VALUE Yes NVIDIA limitation. Set a single attribute at a time.
CKA_ID Yes NVIDIA limitation. Set a single attribute at a time.
CKA_APPLICATION No
CKA_OBJECT_ID No -

Get Data Object Attributes Support

The following table indicates whether a given attribute in a template is supported for a Data Object attribute being fetched after creation.

Table Entry Meaning
Yes Indicates that PKCS#11 library supports the attribute for a Data Object.
No Indicates that PKCS#11 library does not support the attribute for a Data Object.
C_GetAttributeValue
Attributes Data Object Note
CKA_CLASS Yes
CKA_TOKEN Yes
CKA_PRIVATE Yes
CKA_LABEL Yes
CKA_VALUE Yes
CKA_ID Yes
CKA_VALUE_LEN Yes
CKA_MODIFIABLE Yes
CKA_COPYABLE Yes
CKA_DESTROYABLE Yes
CKA_APPLICATION Yes
CKA_OBJECT_ID Yes

Key Exclusive Usage Rules

PKCS#11 library limits key usage attributes such that a key is only usable for a single purpose, or for a single class of purposes. The following purposes and purpose combinations are valid:

  • Encryption (CKA_ENCRYPT)
  • Decryption (CKA_DECRYPT)
  • Encryption and decryption (CKA_ENCRYPT | CKA_DECRYPT)
  • Signature generation (CKA_SIGN)
  • Signature verification (CKA_VERIFY)
  • Signature generation and verification (CKA_SIGN | CKA_VERIFY)
  • Key unwrapping (CKA_UNWRAP)
  • Key wrapping (CKA_WRAP)
  • Key unwrapping and wrapping (CKA_UNWRAP | CKA_WRAP)
  • Key derivation (CKA_DERIVE)

Key Usage Immutability

PKCS#11 library does not allow modification of key usage attributes after key creation.

CKA_ID

PKCS#11 library requires that any CKA_ID generated by the client application satisfies the following constraints:

  • A byte array of CK_BYTEs must be padded with space character to 32 bytes
  • No NULL character
  • Must not start with "NV"
  • Unique

Returns CKR_ATTRIBUTE_VALUE_INVALID if any of these conditions are not met.

Attribute Repeated in Template

PKCS#11 library returns CKR_TEMPLATE_INCONSISTENT if a template for an object specifies the same attribute more than once.

Surplus Attributes in Template

PKCS#11 library returns CKR_TEMPLATE_INCONSISTENT if a template for an object specifies attributes surplus to expectation.

Unwrap Template Not Supported

The attribute CKA_UNWRAP_TEMPLATE is not supported.

Wrap Template Not Supported

The attribute CKA_WRAP_TEMPLATE is not supported.

Unique ID Not Supported

The attribute CKA_UNIQUE_ID is not supported.