We’ve mentioned before that the PKCS#11 crypto token API standard doesn’t come with a set of compliance criteria. However, the 407 page standard is full of vital implementation notes that affect not just interoperability and compatibility, but robustness and security, which is why we built a compliance testing tool.
Now we’ve decided to release the list of PKCS#11 compliance criteria that our tester uses.
We have 118 compliance criteria in our initial list for PKCS#11v2.20, all of which come with a direct reference to the section and page in the standard where the compliance requirement comes from.
Of these 118 conditions, 16 are rated “High” criticality, 53 “Medium” and 49 “Low”. What do these ratings mean? Broadly speaking, if we were testing your P11 implementation, this is the order that we would recommend you prioritize fixes. In more detail, High means that there is a “direct” attack if the device is not compliant, Medium means that an attack is plausible if the application is using the interface in a particular way, while “Low” means the issue seems to be one of compatibility or interoperability.
Most cases are clearly in one category or another, but some are not so clear. We may well update the list over time. But it’s important to have a starting point. Using the compliance tester, we have already unearthed a serious issue in a major manufacturer’s HSM. They’re working on a patch – more about that in a future post.
In the meantime, request a demo version of our compliance tool or send us your feedback on the compliance list.