PKCS#11¶
Added in version 1.11.31.
PKCS#11 is a platform-independent interface for accessing smart cards and hardware security modules (HSM). Vendors of PKCS#11 compatible devices usually provide a so called middleware or “PKCS#11 module” which implements the PKCS#11 standard. This middleware translates calls from the platform-independent PKCS#11 API to device specific calls. So application developers don’t have to write smart card or HSM specific code for each device they want to support.
Note
The Botan PKCS#11 interface is implemented against version v2.40 of the standard.
Botan wraps the C PKCS#11 API to provide a C++ PKCS#11 interface. This is done in two levels of abstraction: a low level API (see Low Level API) and a high level API (see High Level API). The low level API provides access to all functions that are specified by the standard. The high level API represents an object oriented approach to use PKCS#11 compatible devices but only provides a subset of the functions described in the standard.
To use the PKCS#11 implementation the pkcs11
module has to be enabled.
Note
Both PKCS#11 APIs live in the namespace
Botan::PKCS11
Low Level API¶
The PKCS#11 standards committee provides header files (pkcs11.h
, pkcs11f.h
and
pkcs11t.h
) which define the PKCS#11 API in the C programming language. These
header files could be used directly to access PKCS#11 compatible smart cards or
HSMs. The external header files are shipped with Botan in version v2.4 of the standard. The PKCS#11 low
level API wraps the original PKCS#11 API, but still allows to access all functions described in the
standard and has the advantage that it is a C++ interface with features like RAII, exceptions
and automatic memory management.
The low level API is implemented by the LowLevel
class and can be accessed by
including the header botan/p11.h
.
Preface¶
All constants that belong together in the PKCS#11 standard are grouped into C++
enum classes. For example the different user types are grouped in the
UserType
enumeration:
-
enum class UserType : CK_USER_TYPE¶
-
enumerator UserType::SO = CKU_SO¶
-
enumerator UserType::User = CKU_USER¶
-
enumerator UserType::ContextSpecific = CKU_CONTEXT_SPECIFIC¶
-
enumerator UserType::SO = CKU_SO¶
Additionally, all types that are used by the low or high level API are mapped by type aliases to more C++ like names. For instance:
-
using FunctionListPtr = CK_FUNCTION_LIST_PTR¶
C-API Wrapping
There is at least one method in the LowLevel
class that corresponds to a PKCS#11
function. For example the C_GetSlotList
method in the LowLevel
class is defined as follows:
-
class LowLevel¶
-
bool C_GetSlotList(Bbool token_present, SlotId *slot_list_ptr, Ulong *count_ptr, ReturnValue *return_value = ThrowException) const¶
-
bool C_GetSlotList(Bbool token_present, SlotId *slot_list_ptr, Ulong *count_ptr, ReturnValue *return_value = ThrowException) const¶
The LowLevel
class calls the PKCS#11 function from the function list of the PKCS#11 module:
CK_DEFINE_FUNCTION(CK_RV, C_GetSlotList)( CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount )
Where it makes sense there is also an overload of the LowLevel
method to make usage easier and safer:
- bool C_GetSlotList(bool token_present, std::vector<SlotId> &slot_ids, ReturnValue *return_value = ThrowException) const¶
With this overload the user of this API just has to pass a vector of SlotId
instead of pointers
to preallocated memory for the slot list and the number of elements. Additionally, there is no need
to call the method twice in order to determine the number of elements first.
Another example is the C_InitPIN
overload:
- template<typename Talloc>
bool C_InitPIN(SessionHandle session, const std::vector<uint8_t, TAlloc> &pin, ReturnValue *return_value = ThrowException) const¶
The templated pin
parameter allows to pass the PIN as a std::vector<uint8_t>
or a secure_vector<uint8_t>
.
If used with a secure_vector
it is assured that the memory is securely erased when the pin
object is no longer needed.
Error Handling¶
All possible PKCS#11 return values are represented by the enum class:
-
enum class ReturnValue : CK_RV¶
All methods of the LowLevel
class have a default parameter ReturnValue* return_value = ThrowException
.
This parameter controls the error handling of all LowLevel
methods. The default
behavior return_value = ThrowException
is to throw an exception if the method does
not complete successfully. If a non-NULL
pointer is passed, return_value
receives the
return value of the PKCS#11 function and no exception is thrown. In case nullptr
is
passed as return_value
, the exact return value is ignored and the method just returns
true
if the function succeeds and false
otherwise.
Getting started¶
An object of this class can be accessed by the Module::operator->()
method.
Code Example:
#include <botan/p11.h>
#include <botan/p11_types.h>
#include <vector>
int main() {
Botan::PKCS11::Module module("C:\\pkcs11-middleware\\library.dll");
// C_Initialize is automatically called by the constructor of the Module
// work with the token
std::vector<Botan::PKCS11::SlotId> slot_ids;
[[maybe_unused]] bool success = module->C_GetSlotList(true, slot_ids);
// C_Finalize is automatically called by the destructor of the Module
return 0;
}
High Level API¶
The high level API provides access to the most commonly used PKCS#11 functionality in an object oriented manner. Functionality of the high level API includes:
Loading/unloading of PKCS#11 modules
Initialization of tokens
Change of PIN/SO-PIN
Session management
Random number generation
Enumeration of objects on the token (certificates, public keys, private keys)
Import/export/deletion of certificates
Generation/import/export/deletion of RSA and EC public and private keys
Encryption/decryption using RSA with support for OAEP and PKCS1-v1_5 (and raw)
Signature generation/verification using RSA with support for PSS and PKCS1-v1_5 (and raw)
Signature generation/verification using ECDSA
Key derivation using ECDH
Module¶
The Module
class represents a PKCS#11 shared library (module) and is defined in
botan/p11_module.h
.
It is constructed from a a file path to a PKCS#11 module and optional C_InitializeArgs
:
-
class Module¶
Module(const std::string& file_path, C_InitializeArgs init_args = { nullptr, nullptr, nullptr, nullptr, static_cast<CK_FLAGS>(Flag::OsLockingOk), nullptr })
It loads the shared library and calls
C_Initialize
with the providedC_InitializeArgs
. On destruction of the objectC_Finalize
is called.
There are two more methods in this class. One is for reloading the shared library and reinitializing the PKCS#11 module:
void reload(C_InitializeArgs init_args = { nullptr, nullptr, nullptr, nullptr, static_cast< CK_FLAGS >(Flag::OsLockingOk), nullptr });
The other one is for getting general information about the PKCS#11 module:
- Info get_info() const¶
This function calls
C_GetInfo
internally.
Code example:
#include <botan/p11.h>
#include <botan/p11_types.h>
#include <iostream>
#include <string>
int main() {
Botan::PKCS11::Module module("C:\\pkcs11-middleware\\library.dll");
// Sometimes useful if a newly connected token is not detected by the PKCS#11 module
module.reload();
Botan::PKCS11::Info info = module.get_info();
// print library version
std::cout << std::to_string(info.libraryVersion.major) << "." << std::to_string(info.libraryVersion.minor) << '\n';
return 0;
}
Slot¶
The Slot
class represents a PKCS#11 slot and is defined in
botan/p11_slot.h
.
A PKCS#11 slot is usually a smart card reader that potentially contains a token.
-
class Slot¶
-
Slot(Module &module, SlotId slot_id)¶
To instantiate this class a reference to a
Module
object and aslot_id
have to be passed to the constructor.
-
static std::vector<SlotId> get_available_slots(Module &module, bool token_present)¶
Retrieve available slot ids by calling this static method.
The parameter
token_present
controls whether all slots or only slots with a token attached are returned by this method. This method callsC_GetSlotList
.
-
SlotInfo get_slot_info() const¶
Returns information about the slot. Calls
C_GetSlotInfo
.
-
TokenInfo get_token_info() const¶
Obtains information about a particular token in the system. Calls
C_GetTokenInfo
.
-
std::vector<MechanismType> get_mechanism_list() const¶
Obtains a list of mechanism types supported by the slot. Calls
C_GetMechanismList
.
-
MechanismInfo get_mechanism_info(MechanismType mechanism_type) const¶
Obtains information about a particular mechanism possibly supported by a slot. Calls
C_GetMechanismInfo
.
-
void initialize(const std::string &label, const secure_string &so_pin) const¶
Calls
C_InitToken
to initialize the token. Thelabel
must not exceed 32 bytes. The current PIN of the security officer must be passed inso_pin
if the token is reinitialized or if it’s a factory new token, theso_pin
that is passed will initially be set.
-
Slot(Module &module, SlotId slot_id)¶
Code example:
#include <botan/p11.h>
#include <botan/p11_types.h>
#include <iostream>
#include <string>
#include <vector>
int main() {
Botan::PKCS11::Module module("C:\\pkcs11-middleware\\library.dll");
// only slots with connected token
std::vector<Botan::PKCS11::SlotId> slots = Botan::PKCS11::Slot::get_available_slots(module, true);
// use first slot
Botan::PKCS11::Slot slot(module, slots.at(0));
// print firmware version of the slot
Botan::PKCS11::SlotInfo slot_info = slot.get_slot_info();
std::cout << std::to_string(slot_info.firmwareVersion.major) << "."
<< std::to_string(slot_info.firmwareVersion.minor) << '\n';
// print firmware version of the token
Botan::PKCS11::TokenInfo token_info = slot.get_token_info();
std::cout << std::to_string(token_info.firmwareVersion.major) << "."
<< std::to_string(token_info.firmwareVersion.minor) << '\n';
// retrieve all mechanisms supported by the token
std::vector<Botan::PKCS11::MechanismType> mechanisms = slot.get_mechanism_list();
// retrieve information about a particular mechanism
Botan::PKCS11::MechanismInfo mech_info = slot.get_mechanism_info(Botan::PKCS11::MechanismType::RsaPkcsOaep);
// maximum RSA key length supported:
std::cout << mech_info.ulMaxKeySize << '\n';
// initialize the token
Botan::PKCS11::secure_string so_pin(8, '0');
slot.initialize("Botan PKCS11 documentation test label", so_pin);
return 0;
}
Session¶
The Session
class represents a PKCS#11 session and is defined in botan/p11_session.h
.
A session is a logical connection between an application and a token.
The session is passed to most other PKCS#11 operations, and must remain alive
as long as any other PKCS#11 object which the session was passed to is still
alive, otherwise errors or even an application crash are possible.
In the future,
the API may change to using shared_ptr
to remove this problem.
-
class Session¶
There are two constructors to create a new session and one constructor to take ownership of an existing session. The destructor calls
C_Logout
if a user is logged in to this session and alwaysC_CloseSession
.-
Session(Slot &slot, bool read_only)¶
To initialize a session object a
Slot
has to be specified on which the session should operate.read_only
specifies whether the session should be read only or read write. CallsC_OpenSession
.
-
Session(Slot &slot, Flags flags, VoidPtr callback_data, Notify notify_callback)¶
Creates a new session by passing a
Slot
, sessionflags
,callback_data
and anotify_callback
. CallsC_OpenSession
.
-
Session(Slot &slot, SessionHandle handle)¶
Takes ownership of an existing session by passing
Slot
and a sessionhandle
.
-
SessionHandle release()¶
Returns the released
SessionHandle
-
void login(UserType userType, const secure_string &pin)¶
Login to this session by passing
UserType
andpin
. CallsC_Login
.
-
void logoff()¶
Logout from this session. Not mandatory because on destruction of the
Session
object this is done automatically.
-
SessionInfo get_info() const¶
Returns information about this session. Calls
C_GetSessionInfo
.
-
void set_pin(const secure_string &old_pin, const secure_string &new_pin) const¶
Calls
C_SetPIN
to change the PIN of the logged in user using theold_pin
.
-
Session(Slot &slot, bool read_only)¶
Code example:
#include <botan/p11.h>
#include <botan/p11_types.h>
#include <iostream>
#include <vector>
int main() {
Botan::PKCS11::Module module("C:\\pkcs11-middleware\\library.dll");
// use first slot with connected token
std::vector<Botan::PKCS11::SlotId> slots = Botan::PKCS11::Slot::get_available_slots(module, true);
Botan::PKCS11::Slot slot(module, slots.at(0));
// open read only session
{ Botan::PKCS11::Session read_only_session(slot, true); }
// open read write session
{ Botan::PKCS11::Session read_write_session(slot, false); }
// open read write session by passing flags
{
Botan::PKCS11::Flags flags =
Botan::PKCS11::flags(Botan::PKCS11::Flag::SerialSession | Botan::PKCS11::Flag::RwSession);
Botan::PKCS11::Session read_write_session(slot, flags, nullptr, nullptr);
}
// move ownership of a session
{
Botan::PKCS11::Session session(slot, false);
Botan::PKCS11::SessionHandle handle = session.release();
Botan::PKCS11::Session session2(slot, handle);
}
Botan::PKCS11::Session session(slot, false);
// get session info
Botan::PKCS11::SessionInfo info = session.get_info();
std::cout << info.slotID << '\n';
// login
Botan::PKCS11::secure_string pin = {'1', '2', '3', '4', '5', '6'};
session.login(Botan::PKCS11::UserType::User, pin);
// set pin
Botan::PKCS11::secure_string new_pin = {'6', '5', '4', '3', '2', '1'};
session.set_pin(pin, new_pin);
// logoff
session.logoff();
// log in as security officer
Botan::PKCS11::secure_string so_pin = {'0', '0', '0', '0', '0', '0', '0', '0'};
session.login(Botan::PKCS11::UserType::SO, so_pin);
// change pin to old pin
session.init_pin(pin);
return 0;
}
Objects¶
PKCS#11 objects consist of various attributes (CK_ATTRIBUTE
). For example CKA_TOKEN
describes if a PKCS#11 object is a session object or a token object. The helper class AttributeContainer
helps with storing these attributes. The class is defined in botan/p11_object.h
.
-
class AttributeContainer¶
Attributes can be set in an AttributeContainer
by various add_
methods:
- void add_class(ObjectClass object_class)¶
Add a class attribute (
CKA_CLASS
/AttributeType::Class
)
- void add_string(AttributeType attribute, const std::string &value)¶
Add a string attribute (e.g.
CKA_LABEL
/AttributeType::Label
).
- void AttributeContainer::add_binary(AttributeType attribute, const uint8_t *value, size_t length)¶
Add a binary attribute (e.g.
CKA_ID
/AttributeType::Id
).
- template<typename TAlloc>
void AttributeContainer::add_binary(AttributeType attribute, const std::vector<uint8_t, TAlloc> &binary)¶Add a binary attribute by passing a
vector
/secure_vector
(e.g.CKA_ID
/AttributeType::Id
).
- void AttributeContainer::add_bool(AttributeType attribute, bool value)¶
Add a bool attribute (e.g.
CKA_SENSITIVE
/AttributeType::Sensitive
).
- template<typename T>
void AttributeContainer::add_numeric(AttributeType attribute, T value)¶Add a numeric attribute (e.g.
CKA_MODULUS_BITS
/AttributeType::ModulusBits
).
Object Properties
The PKCS#11 standard defines the mandatory and optional attributes for each object class.
The mandatory and optional attribute requirements are mapped in so called property classes.
Mandatory attributes are set in the constructor, optional attributes can be set via set_
methods.
In the top hierarchy is the ObjectProperties
class which inherits from the AttributeContainer
.
This class represents the common attributes of all PKCS#11 objects.
-
class ObjectProperties : public AttributeContainer¶
The constructor is defined as follows:
- ObjectProperties::ObjectProperties(ObjectClass object_class)¶
Every PKCS#11 object needs an object class attribute.
The next level defines the StorageObjectProperties
class which inherits from
ObjectProperties
.
-
class StorageObjectProperties : public ObjectProperties¶
The only mandatory attribute is the object class, so the constructor is defined as follows:
- StorageObjectProperties::StorageObjectProperties(ObjectClass object_class)¶
But in contrast to the ObjectProperties
class there are various setter methods. For example to
set the AttributeType::Label
:
- void set_label(const std::string &label)¶
Sets the label description of the object (RFC2279 string).
The remaining hierarchy is defined as follows:
DataObjectProperties
inherits fromStorageObjectProperties
CertificateProperties
inherits fromStorageObjectProperties
DomainParameterProperties
inherits fromStorageObjectProperties
KeyProperties
inherits fromStorageObjectProperties
PublicKeyProperties
inherits fromKeyProperties
PrivateKeyProperties
inherits fromKeyProperties
SecretKeyProperties
inherits fromKeyProperties
PKCS#11 objects themselves are represented by the Object
class.
-
class Object¶
Following constructors are defined:
- Object::Object(Session &session, const ObjectProperties &obj_props)¶
Creates a new object with the
ObjectProperties
provided inobj_props
.
The other methods are:
- secure_vector<uint8_t> get_attribute_value(AttributeType attribute) const¶
Returns the value of the given attribute (using
C_GetAttributeValue
)
- void set_attribute_value(AttributeType attribute, const secure_vector<uint8_t> &value) const¶
Sets the given value for the attribute (using
C_SetAttributeValue
)
- void destroy() const¶
Destroys the object.
- ObjectHandle copy(const AttributeContainer &modified_attributes) const¶
Allows to copy the object with modified attributes.
And static methods to search for objects:
- template<typename T>
static std::vector<T> search(Session &session, const std::vector<Attribute> &search_template)¶Searches for all objects of the given type that match
search_template
.
- template<typename T>
static std::vector<T> search(Session &session, const std::string &label)¶Searches for all objects of the given type using the label (
CKA_LABEL
).
- template<typename T>
static std::vector<T> search(Session &session, const std::vector<uint8_t> &id)¶Searches for all objects of the given type using the id (
CKA_ID
).
The ObjectFinder
Another way for searching objects is to use the ObjectFinder
class. This class
manages calls to the C_FindObjects*
functions: C_FindObjectsInit
, C_FindObjects
and C_FindObjectsFinal
.
-
class ObjectFinder¶
The constructor has the following signature:
- ObjectFinder::ObjectFinder(Session &session, const std::vector<Attribute> &search_template)¶
A search can be prepared with an
ObjectSearcher
by passing aSession
and asearch_template
.
The actual search operation is started by calling the find
method:
- std::vector<ObjectHandle> find(std::uint32_t max_count = 100) const¶
Starts or continues a search for token and session objects that match a template.
max_count
specifies the maximum number of search results (object handles) that are returned.
- void finish()¶
Finishes the search operation manually to allow a new
ObjectFinder
to exist. Otherwise the search is finished by the destructor.
Code example:
#include <botan/der_enc.h>
#include <botan/p11.h>
#include <botan/p11_object.h>
#include <botan/p11_types.h>
#include <botan/secmem.h>
#include <cstddef>
#include <string>
#include <vector>
int main() {
Botan::PKCS11::Module module("C:\\pkcs11-middleware\\library.dll");
// open write session to first slot with connected token
std::vector<Botan::PKCS11::SlotId> slots = Botan::PKCS11::Slot::get_available_slots(module, true);
Botan::PKCS11::Slot slot(module, slots.at(0));
Botan::PKCS11::Session session(slot, false);
// create an simple data object
Botan::secure_vector<uint8_t> value = {0x00, 0x01, 0x02, 0x03};
std::size_t id = 1337;
std::string label = "test data object";
// set properties of the new object
Botan::PKCS11::DataObjectProperties data_obj_props;
data_obj_props.set_label(label);
data_obj_props.set_value(value);
data_obj_props.set_token(true);
data_obj_props.set_modifiable(true);
std::vector<uint8_t> encoded_id;
Botan::DER_Encoder(encoded_id).encode(id);
data_obj_props.set_object_id(encoded_id);
// create the object
Botan::PKCS11::Object data_obj(session, data_obj_props);
// get label of this object
Botan::PKCS11::secure_string retrieved_label = data_obj.get_attribute_value(Botan::PKCS11::AttributeType::Label);
// set a new label
Botan::PKCS11::secure_string new_label = {'B', 'o', 't', 'a', 'n'};
data_obj.set_attribute_value(Botan::PKCS11::AttributeType::Label, new_label);
// copy the object
Botan::PKCS11::AttributeContainer copy_attributes;
copy_attributes.add_string(Botan::PKCS11::AttributeType::Label, "copied object");
[[maybe_unused]] Botan::PKCS11::ObjectHandle copied_obj_handle = data_obj.copy(copy_attributes);
// search for an object
Botan::PKCS11::AttributeContainer search_template;
search_template.add_string(Botan::PKCS11::AttributeType::Label, "Botan");
auto found_objs = Botan::PKCS11::Object::search<Botan::PKCS11::Object>(session, search_template.attributes());
// destroy the object
data_obj.destroy();
return 0;
}
RSA¶
PKCS#11 RSA support is implemented in <botan/p11_rsa.h>
.
RSA Public Keys
PKCS#11 RSA public keys are provided by the class PKCS11_RSA_PublicKey
. This class
inherits from RSA_PublicKey
and Object
. Furthermore there are two property classes defined
to generate and import RSA public keys analogous to the other property classes described
before: RSA_PublicKeyGenerationProperties
and RSA_PublicKeyImportProperties
.
-
class PKCS11_RSA_PublicKey : public RSA_PublicKey, public Object¶
RSA Private Keys
The support for PKCS#11 RSA private keys is implemented in a similar way. There are two property
classes: RSA_PrivateKeyGenerationProperties
and RSA_PrivateKeyImportProperties
. The PKCS11_RSA_PrivateKey
class implements the actual support for PKCS#11 RSA private keys. This class inherits from Private_Key
,
RSA_PublicKey
and Object
. In contrast to the public key class there is a third constructor
to generate private keys directly on the token or in the session and one method to export private keys.
-
class PKCS11_RSA_PrivateKey : public Private_Key, public RSA_PublicKey, public Object¶
-
PKCS11_RSA_PrivateKey(Session &session, ObjectHandle handle)¶
Existing PKCS#11 RSA private keys can be used by providing an
ObjectHandle
to the constructor.
-
PKCS11_RSA_PrivateKey(Session &session, const RSA_PrivateKeyImportProperties &priv_key_props)¶
This constructor can be used to import an existing RSA private key with the
RSA_PrivateKeyImportProperties
passed inpriv_key_props
to the token.
-
PKCS11_RSA_PrivateKey(Session &session, uint32_t bits, const RSA_PrivateKeyGenerationProperties &priv_key_props)¶
Generates a new PKCS#11 RSA private key with bit length provided in
bits
and theRSA_PrivateKeyGenerationProperties
passed inpriv_key_props
.
-
RSA_PrivateKey export_key() const¶
Returns the exported
RSA_PrivateKey
.
-
PKCS11_RSA_PrivateKey(Session &session, ObjectHandle handle)¶
PKCS#11 RSA key pairs can be generated with the following free function:
Code example:
#include <botan/auto_rng.h>
#include <botan/p11.h>
#include <botan/p11_rsa.h>
#include <botan/p11_types.h>
#include <botan/pubkey.h>
#include <botan/rsa.h>
#include <vector>
int main() {
Botan::PKCS11::Module module("C:\\pkcs11-middleware\\library.dll");
// open write session to first slot with connected token
std::vector<Botan::PKCS11::SlotId> slots = Botan::PKCS11::Slot::get_available_slots(module, true);
Botan::PKCS11::Slot slot(module, slots.at(0));
Botan::PKCS11::Session session(slot, false);
Botan::PKCS11::secure_string pin = {'1', '2', '3', '4', '5', '6'};
session.login(Botan::PKCS11::UserType::User, pin);
/************ import RSA private key *************/
// create private key in software
Botan::AutoSeeded_RNG rng;
Botan::RSA_PrivateKey priv_key_sw(rng, 2048);
// set the private key import properties
Botan::PKCS11::RSA_PrivateKeyImportProperties priv_import_props(priv_key_sw.get_n(), priv_key_sw.get_d());
priv_import_props.set_pub_exponent(priv_key_sw.get_e());
priv_import_props.set_prime_1(priv_key_sw.get_p());
priv_import_props.set_prime_2(priv_key_sw.get_q());
priv_import_props.set_coefficient(priv_key_sw.get_c());
priv_import_props.set_exponent_1(priv_key_sw.get_d1());
priv_import_props.set_exponent_2(priv_key_sw.get_d2());
priv_import_props.set_token(true);
priv_import_props.set_private(true);
priv_import_props.set_decrypt(true);
priv_import_props.set_sign(true);
// import
Botan::PKCS11::PKCS11_RSA_PrivateKey priv_key(session, priv_import_props);
/************ export PKCS#11 RSA private key *************/
Botan::RSA_PrivateKey exported = priv_key.export_key();
/************ import RSA public key *************/
// set the public key import properties
Botan::PKCS11::RSA_PublicKeyImportProperties pub_import_props(priv_key.get_n(), priv_key.get_e());
pub_import_props.set_token(true);
pub_import_props.set_encrypt(true);
pub_import_props.set_private(false);
// import
Botan::PKCS11::PKCS11_RSA_PublicKey public_key(session, pub_import_props);
/************ generate RSA private key *************/
Botan::PKCS11::RSA_PrivateKeyGenerationProperties priv_generate_props;
priv_generate_props.set_token(true);
priv_generate_props.set_private(true);
priv_generate_props.set_sign(true);
priv_generate_props.set_decrypt(true);
priv_generate_props.set_label("BOTAN_TEST_RSA_PRIV_KEY");
Botan::PKCS11::PKCS11_RSA_PrivateKey private_key2(session, 2048, priv_generate_props);
/************ generate RSA key pair *************/
Botan::PKCS11::RSA_PublicKeyGenerationProperties pub_generate_props(2048UL);
pub_generate_props.set_pub_exponent();
pub_generate_props.set_label("BOTAN_TEST_RSA_PUB_KEY");
pub_generate_props.set_token(true);
pub_generate_props.set_encrypt(true);
pub_generate_props.set_verify(true);
pub_generate_props.set_private(false);
Botan::PKCS11::PKCS11_RSA_KeyPair rsa_keypair =
Botan::PKCS11::generate_rsa_keypair(session, pub_generate_props, priv_generate_props);
/************ RSA encrypt *************/
Botan::secure_vector<uint8_t> plaintext = {0x00, 0x01, 0x02, 0x03};
Botan::PK_Encryptor_EME encryptor(rsa_keypair.first, rng, "Raw");
auto ciphertext = encryptor.encrypt(plaintext, rng);
/************ RSA decrypt *************/
Botan::PK_Decryptor_EME decryptor(rsa_keypair.second, rng, "Raw");
plaintext = decryptor.decrypt(ciphertext);
/************ RSA sign *************/
Botan::PK_Signer signer(rsa_keypair.second, rng, "EMSA4(SHA-256)", Botan::Signature_Format::Standard);
auto signature = signer.sign_message(plaintext, rng);
/************ RSA verify *************/
Botan::PK_Verifier verifier(rsa_keypair.first, "EMSA4(SHA-256)", Botan::Signature_Format::Standard);
auto ok = verifier.verify_message(plaintext, signature);
return ok ? 0 : 1;
}
ECDSA¶
PKCS#11 ECDSA support is implemented in <botan/p11_ecdsa.h>
.
ECDSA Public Keys
PKCS#11 ECDSA public keys are provided by the class PKCS11_ECDSA_PublicKey
. This class
inherits from PKCS11_EC_PublicKey
and ECDSA_PublicKey
. The necessary property classes
are defined in <botan/p11_ecc_key.h>
. For public keys there are EC_PublicKeyGenerationProperties
and EC_PublicKeyImportProperties
.
-
class PKCS11_ECDSA_PublicKey : public PKCS11_EC_PublicKey, public virtual ECDSA_PublicKey¶
-
PKCS11_ECDSA_PublicKey(Session &session, ObjectHandle handle)¶
Existing PKCS#11 ECDSA private keys can be used by providing an
ObjectHandle
to the constructor.
-
PKCS11_ECDSA_PublicKey(Session &session, const EC_PublicKeyImportProperties &props)¶
This constructor can be used to import an existing ECDSA public key with the
EC_PublicKeyImportProperties
passed inprops
to the token.
-
ECDSA_PublicKey PKCS11_ECDSA_PublicKey::export_key() const¶
Returns the exported
ECDSA_PublicKey
.
-
PKCS11_ECDSA_PublicKey(Session &session, ObjectHandle handle)¶
ECDSA Private Keys
The class PKCS11_ECDSA_PrivateKey
inherits from PKCS11_EC_PrivateKey
and implements support
for PKCS#11 ECDSA private keys. There are two property classes for key generation
and import: EC_PrivateKeyGenerationProperties
and EC_PrivateKeyImportProperties
.
-
class PKCS11_ECDSA_PrivateKey : public PKCS11_EC_PrivateKey¶
-
PKCS11_ECDSA_PrivateKey(Session &session, ObjectHandle handle)¶
Existing PKCS#11 ECDSA private keys can be used by providing an
ObjectHandle
to the constructor.
-
PKCS11_ECDSA_PrivateKey(Session &session, const EC_PrivateKeyImportProperties &props)¶
This constructor can be used to import an existing ECDSA private key with the
EC_PrivateKeyImportProperties
passed inprops
to the token.
-
PKCS11_ECDSA_PrivateKey(Session &session, const std::vector<uint8_t> &ec_params, const EC_PrivateKeyGenerationProperties &props)¶
This constructor can be used to generate a new ECDSA private key with the
EC_PrivateKeyGenerationProperties
passed inprops
on the token. Theec_params
parameter is the DER-encoding of an ANSI X9.62 Parameters value.
-
ECDSA_PrivateKey export_key() const¶
Returns the exported
ECDSA_PrivateKey
.
-
PKCS11_ECDSA_PrivateKey(Session &session, ObjectHandle handle)¶
PKCS#11 ECDSA key pairs can be generated with the following free function:
Code example:
#include <botan/asn1_obj.h>
#include <botan/auto_rng.h>
#include <botan/der_enc.h>
#include <botan/ec_group.h>
#include <botan/ecdsa.h>
#include <botan/p11.h>
#include <botan/p11_ecc_key.h>
#include <botan/p11_ecdsa.h>
#include <botan/p11_types.h>
#include <botan/pubkey.h>
#include <string>
#include <vector>
int main() {
Botan::PKCS11::Module module("C:\\pkcs11-middleware\\library.dll");
// open write session to first slot with connected token
std::vector<Botan::PKCS11::SlotId> slots = Botan::PKCS11::Slot::get_available_slots(module, true);
Botan::PKCS11::Slot slot(module, slots.at(0));
Botan::PKCS11::Session session(slot, false);
Botan::PKCS11::secure_string pin = {'1', '2', '3', '4', '5', '6'};
session.login(Botan::PKCS11::UserType::User, pin);
/************ import ECDSA private key *************/
// create private key in software
Botan::AutoSeeded_RNG rng;
Botan::ECDSA_PrivateKey priv_key_sw(rng, Botan::EC_Group::from_name("secp256r1"));
priv_key_sw.set_parameter_encoding(Botan::EC_Group_Encoding::EC_DOMPAR_ENC_OID);
// set the private key import properties
Botan::PKCS11::EC_PrivateKeyImportProperties priv_import_props(priv_key_sw.DER_domain(),
priv_key_sw.private_value());
priv_import_props.set_token(true);
priv_import_props.set_private(true);
priv_import_props.set_sign(true);
priv_import_props.set_extractable(true);
// label
std::string label = "test ECDSA key";
priv_import_props.set_label(label);
// import to card
Botan::PKCS11::PKCS11_ECDSA_PrivateKey priv_key(session, priv_import_props);
/************ export PKCS#11 ECDSA private key *************/
Botan::ECDSA_PrivateKey priv_exported = priv_key.export_key();
/************ import ECDSA public key *************/
// import to card
std::vector<uint8_t> ec_point;
Botan::DER_Encoder(ec_point).encode(priv_key_sw.public_point().encode(Botan::EC_Point_Format::Uncompressed),
Botan::ASN1_Type::OctetString);
Botan::PKCS11::EC_PublicKeyImportProperties pub_import_props(priv_key_sw.DER_domain(), ec_point);
pub_import_props.set_token(true);
pub_import_props.set_verify(true);
pub_import_props.set_private(false);
// label
label = "test ECDSA pub key";
pub_import_props.set_label(label);
Botan::PKCS11::PKCS11_ECDSA_PublicKey public_key(session, pub_import_props);
/************ export PKCS#11 ECDSA public key *************/
Botan::ECDSA_PublicKey pub_exported = public_key.export_key();
/************ generate PKCS#11 ECDSA private key *************/
Botan::PKCS11::EC_PrivateKeyGenerationProperties priv_generate_props;
priv_generate_props.set_token(true);
priv_generate_props.set_private(true);
priv_generate_props.set_sign(true);
Botan::PKCS11::PKCS11_ECDSA_PrivateKey pk(
session,
Botan::EC_Group::from_name("secp256r1").DER_encode(Botan::EC_Group_Encoding::EC_DOMPAR_ENC_OID),
priv_generate_props);
/************ generate PKCS#11 ECDSA key pair *************/
Botan::PKCS11::EC_PublicKeyGenerationProperties pub_generate_props(
Botan::EC_Group::from_name("secp256r1").DER_encode(Botan::EC_Group_Encoding::EC_DOMPAR_ENC_OID));
pub_generate_props.set_label("BOTAN_TEST_ECDSA_PUB_KEY");
pub_generate_props.set_token(true);
pub_generate_props.set_verify(true);
pub_generate_props.set_private(false);
pub_generate_props.set_modifiable(true);
Botan::PKCS11::PKCS11_ECDSA_KeyPair key_pair =
Botan::PKCS11::generate_ecdsa_keypair(session, pub_generate_props, priv_generate_props);
/************ PKCS#11 ECDSA sign and verify *************/
std::vector<uint8_t> plaintext(20, 0x01);
Botan::PK_Signer signer(key_pair.second, rng, "Raw", Botan::Signature_Format::Standard, "pkcs11");
auto signature = signer.sign_message(plaintext, rng);
Botan::PK_Verifier token_verifier(key_pair.first, "Raw", Botan::Signature_Format::Standard, "pkcs11");
bool ecdsa_ok = token_verifier.verify_message(plaintext, signature);
return ecdsa_ok ? 0 : 1;
}
ECDH¶
PKCS#11 ECDH support is implemented in <botan/p11_ecdh.h>
.
ECDH Public Keys
PKCS#11 ECDH public keys are provided by the class PKCS11_ECDH_PublicKey
. This class
inherits from PKCS11_EC_PublicKey
. The necessary property classes
are defined in <botan/p11_ecc_key.h>
. For public keys there are EC_PublicKeyGenerationProperties
and EC_PublicKeyImportProperties
.
-
class PKCS11_ECDH_PublicKey : public PKCS11_EC_PublicKey¶
-
PKCS11_ECDH_PublicKey(Session &session, ObjectHandle handle)¶
Existing PKCS#11 ECDH private keys can be used by providing an
ObjectHandle
to the constructor.
-
PKCS11_ECDH_PublicKey(Session &session, const EC_PublicKeyImportProperties &props)¶
This constructor can be used to import an existing ECDH public key with the
EC_PublicKeyImportProperties
passed inprops
to the token.
-
ECDH_PublicKey export_key() const¶
Returns the exported
ECDH_PublicKey
.
-
PKCS11_ECDH_PublicKey(Session &session, ObjectHandle handle)¶
ECDH Private Keys
The class PKCS11_ECDH_PrivateKey
inherits from PKCS11_EC_PrivateKey
and PK_Key_Agreement_Key
and implements support for PKCS#11 ECDH private keys. There are two
property classes. One for key generation and one for import: EC_PrivateKeyGenerationProperties
and
EC_PrivateKeyImportProperties
.
-
class PKCS11_ECDH_PrivateKey : public virtual PKCS11_EC_PrivateKey, public virtual PK_Key_Agreement_Key¶
-
PKCS11_ECDH_PrivateKey(Session &session, ObjectHandle handle)¶
Existing PKCS#11 ECDH private keys can be used by providing an
ObjectHandle
to the constructor.
-
PKCS11_ECDH_PrivateKey(Session &session, const EC_PrivateKeyImportProperties &props)¶
This constructor can be used to import an existing ECDH private key with the
EC_PrivateKeyImportProperties
passed inprops
to the token.
-
PKCS11_ECDH_PrivateKey(Session &session, const std::vector<uint8_t> &ec_params, const EC_PrivateKeyGenerationProperties &props)¶
This constructor can be used to generate a new ECDH private key with the
EC_PrivateKeyGenerationProperties
passed inprops
on the token. Theec_params
parameter is the DER-encoding of an ANSI X9.62 Parameters value.
-
ECDH_PrivateKey export_key() const¶
Returns the exported
ECDH_PrivateKey
.
-
PKCS11_ECDH_PrivateKey(Session &session, ObjectHandle handle)¶
PKCS#11 ECDH key pairs can be generated with the following free function:
-
PKCS11_ECDH_KeyPair PKCS11::generate_ecdh_keypair(Session &session, const EC_PublicKeyGenerationProperties &pub_props, const EC_PrivateKeyGenerationProperties &priv_props)¶
Code example:
#include <botan/asn1_obj.h>
#include <botan/auto_rng.h>
#include <botan/der_enc.h>
#include <botan/ec_group.h>
#include <botan/ecdh.h>
#include <botan/p11.h>
#include <botan/p11_ecc_key.h>
#include <botan/p11_ecdh.h>
#include <botan/p11_types.h>
#include <botan/pubkey.h>
#include <botan/symkey.h>
#include <string>
#include <vector>
int main() {
Botan::PKCS11::Module module("C:\\pkcs11-middleware\\library.dll");
// open write session to first slot with connected token
std::vector<Botan::PKCS11::SlotId> slots = Botan::PKCS11::Slot::get_available_slots(module, true);
Botan::PKCS11::Slot slot(module, slots.at(0));
Botan::PKCS11::Session session(slot, false);
Botan::PKCS11::secure_string pin = {'1', '2', '3', '4', '5', '6'};
session.login(Botan::PKCS11::UserType::User, pin);
/************ import ECDH private key *************/
Botan::AutoSeeded_RNG rng;
// create private key in software
Botan::ECDH_PrivateKey priv_key_sw(rng, Botan::EC_Group::from_name("secp256r1"));
priv_key_sw.set_parameter_encoding(Botan::EC_Group_Encoding::EC_DOMPAR_ENC_OID);
// set import properties
Botan::PKCS11::EC_PrivateKeyImportProperties priv_import_props(priv_key_sw.DER_domain(),
priv_key_sw.private_value());
priv_import_props.set_token(true);
priv_import_props.set_private(true);
priv_import_props.set_derive(true);
priv_import_props.set_extractable(true);
// label
std::string label = "test ECDH key";
priv_import_props.set_label(label);
// import to card
Botan::PKCS11::PKCS11_ECDH_PrivateKey priv_key(session, priv_import_props);
/************ export ECDH private key *************/
Botan::ECDH_PrivateKey exported = priv_key.export_key();
/************ import ECDH public key *************/
// set import properties
std::vector<uint8_t> ec_point;
Botan::DER_Encoder(ec_point).encode(priv_key_sw.public_point().encode(Botan::EC_Point_Format::Uncompressed),
Botan::ASN1_Type::OctetString);
Botan::PKCS11::EC_PublicKeyImportProperties pub_import_props(priv_key_sw.DER_domain(), ec_point);
pub_import_props.set_token(true);
pub_import_props.set_private(false);
pub_import_props.set_derive(true);
// label
label = "test ECDH pub key";
pub_import_props.set_label(label);
// import
Botan::PKCS11::PKCS11_ECDH_PublicKey pub_key(session, pub_import_props);
/************ export ECDH private key *************/
Botan::ECDH_PublicKey exported_pub = pub_key.export_key();
/************ generate ECDH private key *************/
Botan::PKCS11::EC_PrivateKeyGenerationProperties priv_generate_props;
priv_generate_props.set_token(true);
priv_generate_props.set_private(true);
priv_generate_props.set_derive(true);
Botan::PKCS11::PKCS11_ECDH_PrivateKey priv_key2(
session,
Botan::EC_Group::from_name("secp256r1").DER_encode(Botan::EC_Group_Encoding::EC_DOMPAR_ENC_OID),
priv_generate_props);
/************ generate ECDH key pair *************/
Botan::PKCS11::EC_PublicKeyGenerationProperties pub_generate_props(
Botan::EC_Group::from_name("secp256r1").DER_encode(Botan::EC_Group_Encoding::EC_DOMPAR_ENC_OID));
pub_generate_props.set_label(label + "_PUB_KEY");
pub_generate_props.set_token(true);
pub_generate_props.set_derive(true);
pub_generate_props.set_private(false);
pub_generate_props.set_modifiable(true);
Botan::PKCS11::PKCS11_ECDH_KeyPair key_pair =
Botan::PKCS11::generate_ecdh_keypair(session, pub_generate_props, priv_generate_props);
/************ ECDH derive *************/
Botan::PKCS11::PKCS11_ECDH_KeyPair key_pair_other =
Botan::PKCS11::generate_ecdh_keypair(session, pub_generate_props, priv_generate_props);
Botan::PK_Key_Agreement ka(key_pair.second, rng, "Raw", "pkcs11");
Botan::PK_Key_Agreement kb(key_pair_other.second, rng, "Raw", "pkcs11");
Botan::SymmetricKey alice_key =
ka.derive_key(32, key_pair_other.first.public_point().encode(Botan::EC_Point_Format::Uncompressed));
Botan::SymmetricKey bob_key =
kb.derive_key(32, key_pair.first.public_point().encode(Botan::EC_Point_Format::Uncompressed));
bool eq = alice_key == bob_key;
return eq ? 0 : 1;
}
RNG¶
The PKCS#11 RNG is defined in <botan/p11_randomgenerator.h>
. The class PKCS11_RNG
implements the Hardware_RNG
interface.
-
class PKCS11_RNG : public Hardware_RNG¶
-
-
void randomize(uint8_t output[], std::size_t length) override¶
Calls
C_GenerateRandom
to generate random data.
-
void add_entropy(const uint8_t in[], std::size_t length) override¶
Calls
C_SeedRandom
to add entropy to the random generation function of the token/middleware.
-
void randomize(uint8_t output[], std::size_t length) override¶
Code example:
#include <botan/auto_rng.h>
#include <botan/hmac_drbg.h>
#include <botan/mac.h>
#include <botan/p11.h>
#include <botan/p11_randomgenerator.h>
#include <botan/p11_types.h>
#include <vector>
int main() {
Botan::PKCS11::Module module("C:\\pkcs11-middleware\\library.dll");
// open write session to first slot with connected token
std::vector<Botan::PKCS11::SlotId> slots = Botan::PKCS11::Slot::get_available_slots(module, true);
Botan::PKCS11::Slot slot(module, slots.at(0));
Botan::PKCS11::Session session(slot, false);
Botan::PKCS11::PKCS11_RNG p11_rng(session);
/************ generate random data *************/
std::vector<uint8_t> random(20);
p11_rng.randomize(random.data(), random.size());
/************ add entropy *************/
Botan::AutoSeeded_RNG auto_rng;
auto auto_rng_random = auto_rng.random_vec(20);
p11_rng.add_entropy(auto_rng_random.data(), auto_rng_random.size());
/************ use PKCS#11 RNG to seed HMAC_DRBG *************/
Botan::HMAC_DRBG drbg(Botan::MessageAuthenticationCode::create("HMAC(SHA-512)"), p11_rng);
drbg.randomize(random.data(), random.size());
return 0;
}
Token Management Functions¶
The header file <botan/p11.h>
also defines some free functions for token management:
- void initialize_token(Slot &slot, const std::string &label, const secure_string &so_pin, const secure_string &pin)¶
Initializes a token by passing a
Slot
, alabel
and theso_pin
of the security officer.
- void change_pin(Slot &slot, const secure_string &old_pin, const secure_string &new_pin)¶
Change PIN with
old_pin
tonew_pin
.
Code example:
#include <botan/p11.h>
#include <botan/p11_types.h>
#include <vector>
int main() {
/************ set pin *************/
Botan::PKCS11::Module module("C:\\pkcs11-middleware\\library.dll");
// only slots with connected token
std::vector<Botan::PKCS11::SlotId> slots = Botan::PKCS11::Slot::get_available_slots(module, true);
// use first slot
Botan::PKCS11::Slot slot(module, slots.at(0));
Botan::PKCS11::secure_string so_pin = {'1', '2', '3', '4', '5', '6', '7', '8'};
Botan::PKCS11::secure_string pin = {'1', '2', '3', '4', '5', '6'};
Botan::PKCS11::secure_string test_pin = {'6', '5', '4', '3', '2', '1'};
// set pin
Botan::PKCS11::set_pin(slot, so_pin, test_pin);
// change back
Botan::PKCS11::set_pin(slot, so_pin, pin);
/************ initialize *************/
Botan::PKCS11::initialize_token(slot, "Botan handbook example", so_pin, pin);
/************ change pin *************/
Botan::PKCS11::change_pin(slot, pin, test_pin);
// change back
Botan::PKCS11::change_pin(slot, test_pin, pin);
/************ change security officer pin *************/
Botan::PKCS11::change_so_pin(slot, so_pin, test_pin);
// change back
Botan::PKCS11::change_so_pin(slot, test_pin, so_pin);
return 0;
}
X.509¶
The header file <botan/p11_x509.h>
defines the property class X509_CertificateProperties
and the class PKCS11_X509_Certificate
.
-
class PKCS11_X509_Certificate : public Object, public X509_Certificate¶
Code example:
#include <botan/p11.h>
#include <botan/p11_types.h>
#include <botan/p11_x509.h>
#include <botan/pkix_types.h>
#include <botan/x509cert.h>
#include <vector>
int main() {
Botan::PKCS11::Module module("C:\\pkcs11-middleware\\library.dll");
// open write session to first slot with connected token
std::vector<Botan::PKCS11::SlotId> slots = Botan::PKCS11::Slot::get_available_slots(module, true);
Botan::PKCS11::Slot slot(module, slots.at(0));
Botan::PKCS11::Session session(slot, false);
// load existing certificate
Botan::X509_Certificate root("test.crt");
// set props
Botan::PKCS11::X509_CertificateProperties props(root.subject_dn().DER_encode(), root.BER_encode());
props.set_label("Botan PKCS#11 test certificate");
props.set_private(false);
props.set_token(true);
// import
Botan::PKCS11::PKCS11_X509_Certificate pkcs11_cert(session, props);
// load by handle
Botan::PKCS11::PKCS11_X509_Certificate pkcs11_cert2(session, pkcs11_cert.handle());
return 0;
}
Tests¶
The PKCS#11 tests are not executed automatically because the depend on an external
PKCS#11 module/middleware. The test tool has to be executed with --pkcs11-lib=
followed with the path of the PKCS#11 module and a second argument which controls the
PKCS#11 tests that are executed. Passing pkcs11
will execute all PKCS#11 tests but it’s
also possible to execute only a subset with the following arguments:
pkcs11-ecdh
pkcs11-ecdsa
pkcs11-lowlevel
pkcs11-manage
pkcs11-module
pkcs11-object
pkcs11-rng
pkcs11-rsa
pkcs11-session
pkcs11-slot
pkcs11-x509
The following PIN and SO-PIN/PUK values are used in tests:
PIN 123456
SO-PIN/PUK 12345678
Warning
Unlike the CardOS (4.4, 5.0, 5.3), the aforementioned SO-PIN/PUK is inappropriate for Gemalto (IDPrime MD 3840) cards, as it must be a byte array of length 24. For this reason some of the tests for Gemalto card involving SO-PIN will fail. You run into a risk of exceding login attempts and as a result locking your card! Currently, specifying pin via command-line option is not implemented, and therefore the desired PIN must be modified in the header src/tests/test_pkcs11.h:
// SO PIN is expected to be set to "12345678" prior to running the tests const std::string SO_PIN = "12345678"; const auto SO_PIN_SECVEC = Botan::PKCS11::secure_string(SO_PIN.begin(), SO_PIN.end());
Tested/Supported Smartcards¶
You are very welcome to contribute your own test results for other testing environments or other cards.
Test results
Smartcard |
Status |
OS |
Midleware |
Botan |
Errors |
---|---|---|---|---|---|
CardOS 4.4 |
mostly works |
Windows 10, 64-bit, version 1709 |
API Version 5.4.9.77 (Cryptoki v2.11) |
2.4.0, Cryptoki v2.40 |
|
CardOS 5.0 |
mostly works |
Windows 10, 64-bit, version 1709 |
API Version 5.4.9.77 (Cryptoki v2.11) |
2.4.0, Cryptoki v2.40 |
|
CardOS 5.3 |
mostly works |
Windows 10, 64-bit, version 1709 |
API Version 5.4.9.77 (Cryptoki v2.11) |
2.4.0, Cryptoki v2.40 |
|
CardOS 5.3 |
mostly works |
Windows 10, 64-bit, version 1903 |
API Version 5.5.1 (Cryptoki v2.11) |
2.12.0 unreleased, Cryptoki v2.40 |
|
Gemalto IDPrime MD 3840 |
mostly works |
Windows 10, 64-bit, version 1709 |
IDGo 800, v1.2.4 (Cryptoki v2.20) |
2.4.0, Cryptoki v2.40 |
|
SoftHSM 2.3.0 (OpenSSL 1.0.2g) |
works |
Windows 10, 64-bit, version 1709 |
Cryptoki v2.40 |
2.4.0, Cryptoki v2.40 |
|
SoftHSM 2.5.0 (OpenSSL 1.1.1) |
works |
Windows 10, 64-bit, version 1803 |
Cryptoki v2.40 |
2.11.0, Cryptoki v2.40 |
Error descriptions
CKR_ARGUMENTS_BAD (0x7=7)
CKR_MECHANISM_INVALID (0x70=112)
CKR_FUNCTION_NOT_SUPPORTED (0x54=84)
CKR_RANDOM_SEED_NOT_SUPPORTED (0x120=288)
CKM_X9_42_DH_KEY_PAIR_GEN | CKR_DEVICE_ERROR (0x30=48)
CKR_TEMPLATE_INCONSISTENT (0xD1=209)
CKR_ENCRYPTED_DATA_INVALID | CKM_SHA256_RSA_PKCS (0x40=64)
CKR_TEMPLATE_INCOMPLETE (0xD0=208)
Test fails due to unsupported copy function (CKR_FUNCTION_NOT_SUPPORTED)
Generating private key for extraction with property extractable fails (CKR_ARGUMENTS_BAD)
Generate rsa private key operation fails (CKR_TEMPLATE_INCOMPLETE)
Raw RSA sign-verify fails (CKR_MECHANISM_INVALID)
Invalid argument Decoding error: BER: Value truncated
Invalid argument Decoding error: BER: Length field is to large
Invalid argument OS2ECP: Unknown format type 155
Invalid argument OS2ECP: Unknown format type 92
Invalid argument OS2ECP: Unknown format type 57
Invalid argument OS2ECP: Unknown format type 82
Invalid argument OS2ECP: Unknown format type 102