Support #1228

Add CCM and GCM mode support to AES in pkcs11_softtoken

Added by Jason King over 9 years ago. Updated almost 2 years ago.

lib - userland libraries
Start date:
Due date:
% Done:


Estimated time:
Gerrit CR:


Currently the AES_[CG]CM modes are only supported within the kernel. Userland utilities (such as IKE, SSH, SSL/TLS) might also want support for this.

The one wrinkle is that the current standard version of pkcs11 (2.20 amendment 3) doesn't define this. The draft of 2.30 however does (but does not specify a value for CKM_AES_[CG]CM, but does define a draft structure for CKM[CG]CM_PARAMS. The draft has been unchanged since 2009, so it is unclear when (if ever) it will become the next version.

A solution would be to use a vendor defined value (such as CKM_ILLUMOS_AES_[CG]CM and CKM_ILLUMOS-AES[CG]CM_PARAMS) and whenever 2.30 is ratified, the Illumos implementation can be mapped to the standard one (either through #defines or support within libpkcs11).

Another solution would be to create a small private header file that is not packaged to define these values and remove it when 2.30 is ratified (though this would obviously prevent anything outside of illumos-gate from being able to utilize this while 2.30 remains in a draft state).


Updated by Jason King almost 2 years ago

The Joyent ticket for the same issue is OS-6576.


Updated by Jason King almost 2 years ago

  • Subject changed from Need AES_[CG]CM support in pkcs11 to Add CCM and GCM mode support to AES in pkcs11_softtoken

Updated by Electric Monk almost 2 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit fb2612809ed5f2cb9109db768e63d61f6659f71b

commit  fb2612809ed5f2cb9109db768e63d61f6659f71b
Author: Jason King <>
Date:   2018-12-20T21:51:44.000Z

    1228 Add CCM and GCM mode support to AES in pkcs11_softtoken
    Reviewed by: Dan McDonald <>
    Reviewed by: Robert Mustacchi <>
    Reviewed by: Igor Kozhukhov <>
    Approved by: Richard Lowe <>

Also available in: Atom PDF