When choosing an HSM or Smartcard to act as crypto provider for a PKCS#11 application, it’s important that the provider actually supports the specific cryptographic algorithms (or “mechanisms” in PKCS#11 terminology) required for the commands that the application will use. What’s more, if the device offers insecure mechanisms, an attacker might make use of them to compromise data. There are 224 mechanisms and 54 commands in v2.20 of the standard. How can I find out which ones a specific device implements?
To help with this problem we’ve added a functionality summary to the PKCS#11 compliance reports produced by our software. The output is designed to look like the “Mechanisms vs Functions” table (table 34 in v2.20) of the standard which shows which mechanisms are considered valid for each command. In our table, a cross indicates that we were able to use the mechanism in that row successfully for the command in that column. For example, take a look at the coverage of Opencryptoki or SoftHSM, two open-source PKCS#11 software projects (go to the bottom and click on “Supported Mechanisms”).
If you’re considering a PKCS#11 project and want to be sure your device covers the commands you need, get in touch, we may have the functionality report you need.