PKCS11_KERNEL(7) Standards, Environments, and Macros PKCS11_KERNEL(7)

pkcs11_kernel - PKCS#11 interface to Kernel Cryptographic Framework


The object implements the RSA PKCS#11 v2.20 specification by using a private interface to communicate with the Kernel Cryptographic Framework.

Each unique hardware provider is represented by a PKCS#11 slot. In a system with no hardware Kernel Cryptographic Framework providers, this PKCS#11 library presents no slots.

The PKCS#11 mechanisms provided by this library is determined by the available hardware providers.

Application developers should link to rather than link directly to See libpkcs11(3LIB).

All of the Standard PKCS#11 functions listed on libpkcs11(3LIB) are implemented except for the following:


A call to these functions returns CKR_FUNCTION_NOT_SUPPORTED.

Buffers cannot be greater than 2 megabytes. For example, C_Encrypt() can be called with a 2 megabyte buffer of plaintext and a 2 megabyte buffer for the ciphertext.

The maximum number of object handles that can be returned by a call to C_FindObjects() is 512.

The maximum amount of kernel memory that can be used for crypto operations is limited by the project.max-crypto-memory resource control. Allocations in the kernel for buffers and session-related structures are charged against this resource control.

The return values of each of the implemented functions are defined and listed in the RSA PKCS#11 v2.20 specification. See

See attributes(7) for a description of the following attributes:

Interface Stability Standard: PKCS#11 v2.20
MT-Level MT-Safe with exceptions. See section 6.5.2 of RSA PKCS#11 v2.20

libpkcs11(3LIB), attributes(7), pkcs11_softtoken(7), cryptoadm(8), rctladm(8)

RSA PKCS#11 v2.20

Applications that have an open session to a PKCS#11 slot make the corresponding hardware provider driver not unloadable. An administrator must close the applications that have an PKCS#11 session open to the hardware provider to make the driver unloadable.

October 27, 2005 OmniOS