HP UX Kernel Cryptographic Module (KCM) PKCS #11 API considerations

The interfaces supported by the library follows RSA Security Inc. PKCS#11 V.2.20 specification. For more information see, PKCS#11 specifications document.

PKCS #11 API considerations

Following are the API considerations for PKCS#11:

•In PKCS#11 terminology, KCM is a soft token used for software implementation. Hardware related functions, data types, and features are not implemented by default.

•There is only one conceptual slot with slotID=0 and conceptual token is assumed to be present in the slot.

•KCM does not store public or private token objects such as keys/certificates. Following are the ramifications of this consideration:

◦KCM does not implement PIN related functions or functions that require PIN (For example, C_Login) specified by PKCS#11.

◦Session type will be R/W user functions by default. There is no distinction between R/O and R/W session types.

◦No distinction is made between user session and SO session. The user is considered as logged in by default at the point of opening a session and logged out when the session is closed.

•KCM implements CK_RV type functions and does not support CK_NOTIFY type. Hence it does not support callback functions and events.

•Multiple thread access to a single PKCS#11 session is not supported.

•There will be limited support for objects and object related functions as per the scope of APIs implemented by KCM. They are used only to invoke KCM supported PKCS#11 functions and retrieve the data returned by functions.

KCM supports the following objects:

•Table 1 (page 5) describes the mechanisms supported by HPUX-KCM. Table 1 Mechanisms supported by HPUX-KCM