Virtual HSM
ACU6 provides a cryptographic library implementing the PKCS#11 v3.0 specification to interface with its HSM.
The library is available as /usr/lib/libvhsm-pkcs11.so.
Deviations from specification
The library deviates from the PKCS#11 v3.0 specification on the following points:
The library is default logged in meaning all sessions are R/W sessions.
Hardware backed keys
Keys that are CKA_TOKEN=True are stored on the ACU6 Pro OH Secure Element.
The Secure Element has 4 key slots and supports Elliptic Curve keys on the
NIST P-256 curve.
Only C_GenerateKeyPair can create keys on the Secure Element.
Supported subset of PKCS#11 interface functions
The PKCS#11 interface supports the following parts of PKCS#11:
C_GetInfoC_GetSlotListC_GetSlotInfoC_GetTokenInfoC_GetMechanismListC_GetMechanismInfoC_InitTokenC_OpenSessionC_CloseSessionC_CreateObjectC_DestroyObjectC_GetAttributeValueC_SetAttributeValueC_FindObjectsInitC_FindObjectsC_FindObjectsFinalC_EncryptInitC_EncryptC_EncryptUpdateC_EncryptFinalC_DecryptInitC_DecryptC_DecryptUpdateC_DecryptFinalC_DigestInitC_DigestC_DigestUpdateC_DigestFinalC_SignInitC_SignC_SignUpdateC_SignFinalC_VerifyInitC_VerifyC_VerifyUpdateC_VerifyFinalC_GenerateKeyPairC_DeriveKeyC_GenerateRandom
Supported PKCS#11 Mechanisms
Not all mechanisms defined by PKCS#11 are supported.
Digest operations
Supports SHA-256 to SHA-512 algorithms only.
Besides the supported digest algorithms, the CKM_NULL algorithm is available
through the sign, verify, encrypt and decrypt operations.
Sign/Verify operations
Supports Elliptic Curve algorithm only.
For CKA_TOKEN=True only NIST P-256 keys are supported, otherwise keys of
256 to 521 bits are supported.
Encrypt/Decrypt operations
Supports the following algoritms only:
AES-ECB
AES-GCM
Key derivation operations
Supports generating Generic Secrets only.
Key generation operations
Supports generating Elliptic Curve keys pairs only.
Object creation operations
Supports creating key objects of the following types only:
Elliptic Curve
AES
Generic Secret
Usage examples
OpenSC pkcs11-tool
Generate a Token key, sign some data, verify the data, delete the key again
# pkcs11-tool --module /usr/lib/libvhsm-pkcs11.so -I Cryptoki version 3.2 Manufacturer Actia Nordic AB Library vHSM PKCS11 Library (ver 0.0) Using slot 0 with a present token (0x1) # pkcs11-tool --module /usr/lib/libvhsm-pkcs11.so -k -m ECDSA-KEY-PAIR-GEN --key-type EC:prime256v1 -a demo-key Using slot 0 with a present token (0x1) Key pair generated: Private Key Object; EC label: demo-key Usage: sign, derive Access: sensitive, always sensitive, never extractable, local Unique ID: 9a5387f822ff4905a3f8cd192e672847 uri: pkcs11:model=ACU6%20Pro%20OH;manufacturer=Actia%20Nordic%20AB;serial=00000000;token=Actia%20vHSM;object=demo-key;type=private Public Key Object; EC EC_POINT 256 bits EC_POINT: 0441045f0d2a17e48bcad57c4fc67bfdaebf2d012e08225147fd106cbdedd68259f0917253922b6c2f29e0faed7bf5eca6c07574622ddb6a87df7ece99373736de607f EC_PARAMS: 06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7) label: demo-key Usage: verify, derive Access: local Unique ID: ccd8ec486b214dc3948a8c9dc79be433 uri: pkcs11:model=ACU6%20Pro%20OH;manufacturer=Actia%20Nordic%20AB;serial=00000000;token=Actia%20vHSM;object=demo-key;type=public # dd if=/dev/urandom of=/tmp/data count=1 bs=1M 1+0 records in 1+0 records out # pkcs11-tool --module /usr/lib/libvhsm-pkcs11.so -s -i /tmp/data -m ECDSA-SHA256 --label demo-key -o /tmp/demo.sig Using slot 0 with a present token (0x1) Using signature algorithm ECDSA-SHA256 # pkcs11-tool --module /usr/lib/libvhsm-pkcs11.so --verify -i /tmp/data -m ECDSA-SHA256 --label demo-key --signature-file /tmp/demo.sig Using slot 0 with a present token (0x1) Using signature algorithm ECDSA-SHA256 Signature is valid # pkcs11-tool --module /usr/lib/libvhsm-pkcs11.so -b --label demo-key -y privkey Using slot 0 with a present token (0x1) # pkcs11-tool --module /usr/lib/libvhsm-pkcs11.so -b --label demo-key -y pubkey Using slot 0 with a present token (0x1)