- PKCS#11 interface to Kernel Cryptographic Framework
The pkcs11_kernel.so object implements the RSA PKCS#11 v2.20 specification by using a private interface to communicate with the Kernel Cryptographic Framework.
Each unique hardware provider is represented by a PKCS#11 slot. In a system with no hardware Kernel Cryptographic Framework providers, this PKCS#11 library presents no slots.
The PKCS#11 mechanisms provided by this library is determined by the available hardware providers.
Application developers should link to libpkcs11.so rather than link directly to pkcs11_kernel.so. See libpkcs11(3LIB).
All of the Standard PKCS#11 functions listed on libpkcs11(3LIB) are implemented except for the following:
C_DecryptDigestUpdate C_DecryptVerifyUpdate C_DigestEncryptUpdate C_GetOperationState C_InitToken C_InitPIN C_SetOperationState C_SignEncryptUpdate C_WaitForSlotEvent
A call to these functions returns CKR_FUNCTION_NOT_SUPPORTED.
Buffers cannot be greater than 2 megabytes. For example, C_Encrypt() can be called with a 2 megabyte buffer of plaintext and a 2 megabyte buffer for the ciphertext.
The maximum number of object handles that can be returned by a call to C_FindObjects() is 512.
The maximum amount of kernel memory that can be used for crypto operations is limited by the project.max-crypto-memory resource control. Allocations in the kernel for buffers and session-related structures are charged against this resource control.
The return values of each of the implemented functions are defined and listed in the RSA PKCS#11 v2.20 specification. See http://www.rsasecurity.com.
See attributes(5) for a description of the following attributes:
RSA PKCS#11 v2.20 http://www.rsasecurity.com
Applications that have an open session to a PKCS#11 slot make the corresponding hardware provider driver not unloadable. An administrator must close the applications that have an PKCS#11 session open to the hardware provider to make the driver unloadable.