Class: CryptoSuite_PKCS11

CryptoSuite_PKCS11

PKCS#11-compliant implementation to support Hardware Security Modules.

new CryptoSuite_PKCS11(keySize, hash, opts)

Parameters:
Name Type Description
keySize number Length of key (in bytes), a.k.a "security level"
hash string Optional. Hash algorithm, supported values are "SHA2" and "SHA3"
opts Object Options are of the form
  {
    lib: string,       // the library package to support this implementation
    slot: number,      // the hardware slot number
    label: string,     // the label assigned to the token at slot initialisation (overrides slot)
    pin: string,       // the user's PIN
    usertype: number,  // the user type
    readwrite: boolean // true if the session is read/write or false if read-only
  }
If 'lib' is not specified or null, its value will be taken from the CRYPTO_PKCS11_LIB env var, and if the env var is not set, its value will be taken from the crypto-pkcs11-lib key in the configuration file.

If 'slot' is not specified or null, its value will be taken from the CRYPTO_PKCS11_SLOT env var, and if the env var is not set, its value will be taken from the crypto-pkcs11-slot key in the configuration file.

If 'label' is not specified or null, its value will be taken from the CRYPTO_PKCS11_LABEL env var, and if the env var is not set, its value will be taken from the crypto-pkcs11-label key in the configuration file. If label is present then it will override any slot value provided

If 'pin' is not specified or null, its value will be taken from the CRYPTO_PKCS11_PIN env var, and if the env var is not set, its value will be taken from the crypto-pkcs11-pin key in the configuration file.

If 'usertype' is not specified or null, its value will be taken from the CRYPTO_PKCS11_USERTYPE env var, if the env var is not set, its value will be taken from the crypto-pkcs11-usertype key in the configuration file, if the config value is not set, its value will default to 1. The value will not be validated, assumes the C_Login will validate. --- from http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html
0          CKU_SO                          0UL
1          CKU_USER                        1UL
2          CKU_CONTEXT_SPECIFIC            2UL
4294967295 max allowed            0xFFFFFFFFUL

If 'readwrite' is not specified or null, its value will be taken from the CRYPTO_PKCS11_READWRITE env var, if the env var is not set, its value will be taken from the crypto-pkcs11-readwrite key in the configuration file, if the config value is not set, its value will default to true.

Extends

  • module:api.CryptoSuite

Methods


createKeyFromRaw()

This is an implementation of module:api.CryptoSuite#createKeyFromRaw

decrypt()

This is an implementation of module:api.CryptoSuite#decrypt Decrypts cipherText using key. The opts argument is not supported yet.

deriveKey()

This is an implementation of module:api.CryptoSuite#deriveKey

encrypt()

This is an implementation of module:api.CryptoSuite#encrypt Encrypts plainText using key. The opts argument is not supported.

generateEphemeralKey()

This is an implementation of module:api.CryptoSuite#generateEphemeralKey
Returns:
Promise of an instance of module:Pkcs11EcdsaKey containing the private key and the public key.
Type
module:api.Key

generateKey()

This is an implementation of module:api.CryptoSuite#generateKey Returns an instance of module.api.Key representing the private key, which also encapsulates the public key. The key (keypair) will be saved across PKCS11 sessions by the HSM hardware. Use generateEphemeralKey to retrieve an ephmeral key.
Returns:
Promise of an instance of module:Pkcs11EcdsaKey containing the private key and the public key.
Type
module:api.Key

getKey()

This is an implementation of module:api.CryptoSuite#getKey Returns the key this CSP associates to the Subject Key Identifier ski.

getKeySize()

This is an implementation of module:api.CryptoSuite#getKeySize

hash()

This is an implementation of module:api.CryptoSuite#hash The opts argument is not supported yet.

<async> importKey()

This is an implementation of module:api.CryptoSuite#importKey

sign()

This is an implementation of module:api.CryptoSuite#sign Signs digest using key k.

verify()

This is an implementation of module:api.CryptoSuite#verify Verifies signature against key k and digest