This page describes the classical cryptographic algorithms that Craton HSM exposes through the PKCS#11 interface: key sizes, supported mechanisms, whether multi-part streaming is available, and any operational constraints. All algorithms listed here are available with the default RustCrypto backend and with the aws-lc-rs Enterprise backend.
| Property | Value |
|---|
| Supported modulus sizes | 2048, 3072, 4096 bits |
| Key pair generation mechanism | CKM_RSA_PKCS_KEY_PAIR_GEN |
| Signing mechanisms | CKM_RSA_PKCS, CKM_SHA256_RSA_PKCS, CKM_SHA384_RSA_PKCS, CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS_PSS, CKM_SHA256_RSA_PKCS_PSS, CKM_SHA384_RSA_PKCS_PSS, CKM_SHA512_RSA_PKCS_PSS |
| Encryption / decryption mechanism | CKM_RSA_PKCS_OAEP |
| Multi-part streaming | Yes, for CKM_SHA*_RSA_PKCS and CKM_SHA*_RSA_PKCS_PSS (SHA-256 / 384 / 512 variants) |
| FIPS-approved | All RSA mechanisms listed above |
- Keys smaller than 2048 bits are rejected unless
algorithms.allow_weak_rsa = true is set. The approved-mode policy always rejects keys below 2048 bits.
- RSA key-size validation strips leading zero bytes from the modulus DER encoding before counting bits, preventing spuriously-oversized-looking keys.
- OAEP uses the MGF1 mask generation function with a hash matching the
CKM_RSA_PKCS_OAEP parameter (typically SHA-256).
- PSS salt length defaults to the hash output length; callers may override via the mechanism parameter.
pkcs11-tool --module libcraton_hsm.so --keypairgen \
--key-type rsa:3072 --label signing-key --pin 87654321
pkcs11-tool --module libcraton_hsm.so --sign \
--mechanism SHA256-RSA-PKCS --label signing-key \
--pin 87654321 --input-file msg.bin --output-file msg.sig
| Property | Value |
|---|
| Supported curves | P-256 (secp256r1, NIST P-256), P-384 (secp384r1, NIST P-384) |
| Key pair generation mechanism | CKM_EC_KEY_PAIR_GEN |
| Signing mechanisms | CKM_ECDSA, CKM_ECDSA_SHA256, CKM_ECDSA_SHA384, CKM_ECDSA_SHA512 |
| Multi-part streaming | Yes, for CKM_ECDSA_SHA256, CKM_ECDSA_SHA384, CKM_ECDSA_SHA512 |
| FIPS-approved | Yes |
CKM_ECDSA expects a caller-provided digest and does not stream.- Signature encoding is the raw
r || s concatenation, matching the PKCS#11 convention.
- Curve parameters are identified by their OID in the
CKA_EC_PARAMS attribute; other curves (P-521, secp256k1) are not supported.
| Property | Value |
|---|
| Supported curves | P-256, P-384 |
| Derivation mechanisms | CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE |
| FIPS-approved | Yes (SP 800-56A) |
The shared secret is run through HKDF-SHA256 (SP 800-56C one-step key derivation) before being installed as the derived key's value. The derived key inherits its class and type from the CKA_CLASS / CKA_KEY_TYPE attributes in the caller's template.
| Property | Value |
|---|
| Supported curve | Ed25519 |
| Key pair generation mechanism | CKM_EDDSA |
| Signing mechanism | CKM_EDDSA |
| Multi-part streaming | No — Ed25519 is a single-pass signature |
| FIPS-approved | No — Ed25519 is not included in FIPS 186-5. Blocked when fips_approved_only = true |
Ed25519 is implemented as PureEdDSA per RFC 8032. CKM_EDDSA doubles as the key-pair-generation mechanism and as the signing mechanism in Craton HSM, in line with common PKCS#11 practice prior to the v3.0 CKM_EC_EDWARDS_KEY_PAIR_GEN split.
X25519 is not exposed as a standalone derivation mechanism. It is used internally by the hybrid CKM_HYBRID_X25519_ML_KEM_768 mechanism (see Post-quantum).
| Property | Value |
|---|
| Supported key sizes | 128, 192, 256 bits |
| Key generation mechanism | CKM_AES_KEY_GEN |
| Mechanisms | CKM_AES_GCM, CKM_AES_CBC, CKM_AES_CBC_PAD, CKM_AES_CTR, CKM_AES_KEY_WRAP, CKM_AES_KEY_WRAP_KWP |
| Multi-part streaming | Yes for CKM_AES_CBC, CKM_AES_CBC_PAD, CKM_AES_CTR; CKM_AES_GCM is single-part |
| FIPS-approved | Yes |
- GCM: 12-byte (96-bit) IVs are required. Per-key nonce counters are maintained via
DashMap<key_hash, AtomicU64> to prevent nonce reuse within the process. C_EncryptInit rejects an all-zero IV.
- CBC / CTR:
C_EncryptInit rejects an all-zero IV. CBC without padding requires plaintext aligned to the 16-byte block boundary; CKM_AES_CBC_PAD applies PKCS#7 padding.
- Key Wrap:
CKM_AES_KEY_WRAP is RFC 3394 AES-KW. CKM_AES_KEY_WRAP_KWP is RFC 5649 AES-KWP (with padding) for wrapping keys of arbitrary byte length.
pkcs11-tool --module libcraton_hsm.so --keygen \
--key-type aes:32 --label data-key --pin 87654321
HMAC is available for use with C_DigestKey to include a key's value in a digest, but direct HMAC computation is driven through the digest mechanisms. The construction uses hmac 0.12 over SHA-256, SHA-384, and SHA-512. PIN hashing uses PBKDF2-HMAC-SHA256 with 600 000 iterations by default (configurable via security.pbkdf2_iterations).
| Construction | Status |
|---|
| HMAC-SHA256 | FIPS-approved |
| HMAC-SHA384 | FIPS-approved |
| HMAC-SHA512 | FIPS-approved |
| Mechanism | Algorithm | FIPS-approved |
|---|
CKM_SHA_1 | SHA-1 | Digest only; blocked for signing in approved mode |
CKM_SHA256 | SHA-256 | Yes |
CKM_SHA384 | SHA-384 | Yes |
CKM_SHA512 | SHA-512 | Yes |
CKM_SHA3_256 | SHA3-256 | Yes |
CKM_SHA3_384 | SHA3-384 | Yes |
CKM_SHA3_512 | SHA3-512 | Yes |
All digest mechanisms support multi-part streaming (C_DigestInit → C_DigestUpdate* → C_DigestFinal).
| Operation | Streaming supported |
|---|
| RSA sign/verify with prehash (SHA-256/384/512 variants) | Yes |
RSA sign/verify with CKM_RSA_PKCS (raw) | No |
ECDSA with prehash (CKM_ECDSA_SHA*) | Yes |
ECDSA raw (CKM_ECDSA) | No |
| EdDSA | No |
| AES-GCM encrypt/decrypt | No |
| AES-CBC / CBC-PAD / CTR encrypt/decrypt | Yes |
| SHA-2 and SHA-3 digest | Yes |
| RSA-OAEP encrypt/decrypt | No |