We are pleased to announce the release of SafeNet MobilePASS for iOS 8.4.11 and SafeNet MobilePASS for Android 8.4.4.

 SafeNet MobilePASS for iOS 8.4.11

This version features the following:

• Improvements for iOS 13
• VoiceOver support
• UI improvements on iPhone 8+ devices

Version Download: App Store, KB0020530

SafeNet MobilePASS for Android 8.4.4

This version features the following:

• Android 10 support
• Accessibility narrator support for keypad

Version download: Google Play, KB0020531

We are pleased to announce the release SafeNet Authentication Service PCE/SPE v 3.10.0 (SAS PCE)

This version features the following:

• Support for Windows Server 2019 Operating System
• FIPS support in SAS

SafeNet Authentication Service PCE/SPE v 3.10.0 is available for download from Thales Customer Portal: KB0020547

We are pleased to announce the release of  SafeNet MobilePASS+ for Windows v1.8.1.

This new version features:

• App Store review dialog
• Known issues

SafeNet MobilePASS+ for Windows v1.8.1 can be downloaded from  Windows Store, or from Thales Customer Support Portal:  EXE – KB0020566, APPX – KB0020567

Thales Crypto Command Center continues to evolve, adding new features and enhancements in order for Enterprises to centrally manage Luna Network Hardware Security Modules (HSMs).

New to the platform:

• Ability for administrators to view the health and status of clients connecting to the HSM;
• Application Owners can view monitoring data, charts and graphs for services in their group including performance and number of decrypt operations;
• Setting notifications based on usage sensitivity thresholds; and
• Improvements to the UX.

Now that SafeNet Crypto Command Center version 3.6 is available, Thales is announcing the end-of-sale and support for versions 3.3, 3.4 and 3.5 as per the timelines listed in Table 1. To ease your migration efforts, please refer to Table 2 below.

Table 1: EoS Milestones and Dates

Table 2: Affected Part Numbers and Migration Path

*Please note: as of Crypto Command Center version 3.5, Thales no longer offers separate Premium and Freemium releases. For the Freemium license version 3.5 or higher, use the Premium download and apply the Freemium license included in the package.

Resources

The following documentation is available to guide you through the migration process from Crypto Command Center 3.3, 3.4 and 3.5 to 3.6:

Supported Luna HSM Versions

Crypto Command Center 3.6 supports the following versions of Luna Network HSMs:

• 6.x, 7.0, 7.1, 7.2, 7.3
• REST API is required
• 6.2.2 with firmware 6.10.9 or 6.24.3 (6.10.9 recommended for FIPS compliance)
• 6.3 with firmware 6.10.9 & 6.27.0
• 7.0 Or 7.1 with (firmware 7.0.1, 7.0.2 & 7.1.0), 7.2, 7.3, & 7.4.

Contact

Should you have any questions please contact your Thales representative.

We’re excited to announce that the Universal Client v 10.1 is now available, providing the following benefits:

• Hybrid Support:
  • Deploy a single client to support both our on-premises and cloud-based HSMs
  • Clone keys between Luna HSMs and DPoD
  • Securely backup and restore HSM key material between Luna HSMs, DPoD, and Luna Backup HSMs with automatic key replication
  • 3^rd Party HSM integrations working with both Luna HSMs and HSM on Demand Services
• Luna HSM:
• • 3rd Party Client Signed Certificates – Luna Client NTLS certificates can now be signed by a 3rd party or internal certificate authority (CA)
  • Windows Server Secure Boot Enhancements: drivers are now signed by Microsoft to help prevent malicious software applications and unauthorized operating systems from loading during the system start-up process
  • Remote PED on Linux: remotely provision a Luna HSM using a Linux operating system (previously only available on Windows)

Downloads:

• Universal Client 10.1 replaces the existing Luna HSM 7.5 Client and is available on the support portal
• Please note that version 7.5 is no longer available for download, and the new Luna Backup HSM support introduced in 7.5 is also available in the 10.1 release
• All DPoD tenants are asked to upgrade to the latest client before the end of the year

Download Links:

Questions? Contact your Thales Representative.

Thales/Gemalto is very pleased to announce the release of ProtectToolkit 5.9. This release, compatible with all ProtectServer 2 models, provides the following new features and enhancements:

CTMULTITOKEN

SafeNet ProtectToolkit 5.9 includes ctmultitoken, a multi-threaded performance testing tool (which will eventually replace the single-threaded CTPerf tool) that allows you to perform basic cryptographic functions on a ProtectServerHSM. Designed as a testing tool for HSM operations and performance, ctmultitoken allows you to specify one or more tokens on which to perform or repeat an operation, and returns a summary of the results.

Key Creation From Multiple Components and Multi-Custodian Backup/Restore Allowed in FIPS Mode

A new mechanism, CKM_PP_LOAD_SECRET_2, allows you to import keys from multiple components and backup/restore multi-custodian keys without requiring the WeakPKCS#11Mechanisms flag to be set. These operations are now supported in FIPS mode.

MIBs for SNMP Logging Enhancements

SafeNet ProtectToolkit 5.9 includes Management Information Base files(MIBs) that enable you to retrieve information about the ProtectServer Network HSM via SNMP. New TUAK and KECCAK Mechanisms SafeNet ProtectToolkit 5.9 includes new mechanisms for using the TUAK and KECCAK cryptographic algorithms, used for 5G mobile ethernet systems.

New PSESH Commands Display HSM Information and Allow Audit Log Cleanup

New PSESH commands allow the following functions:

• audit log clear: allows the audit user to delete all current audit logs on the HSM.
• syslog cleanup: allows the admin user to create a .tar archive of all audit logs currently on the HSM, and delete them.
• hsm show: displays information about the appliance image/HSM firmware versions, slot information, and admin token information.

Please go to the Gemalto Support Portal**to download the release notes – details as follows:

Release notes – Knowledge Base Article DOW0004477/KB0020597
PTK 5.9 Software (PTK-C;PTK-J;PTK-M) – Doc ID: DOW0004478/KB0020598
Firmware 5.00.06 – Doc ID: DOW0004480/KB0020600
PTK 5.9 Documentation – Doc ID: DOW0004479/KB0020599
ProtectServer External appliance upgrade – Doc ID: DOW0004481/KB0020601

**Log in required. Contact CustomerPortalSupport@Gemalto.com for assistance.

As part of our ongoing product communication, we are announcing End-of-Sale for SafeNet Network Logon (SNL).

The following are key dates in the End of Sale process:

For details please refer to the End of Life Announcement.

Gemalto/Thales would like to remind you that the previous-generation ProtectServer Internal Express and ProtectServer External products are now end of life.

As announced on 4th June 2014, the ProtectServer 1 product family became end of sale on 4th December 2014. These products have now reached full end of life and support status.
Customers still using the ProtectServer Internal Express or ProtectServer External products listed below should consider migrating to the ProtectServer 2 product family.

We would like to inform you that the SafeNet Agent for Active Directory Federation Services (AD FS) v.2.41 is now available.

This new version features the following enhancement:

The SafeNet Agent for AD FS now successfully facilitates iPhone users’ login to Office365 with the PUSH authentication while using multiple ADFS server and farm configurations on the agent.

Installation and configuration instructions, along with the agent itself, can be downloaded from the Thales Customer Portal : KB0020865

We would like to announce the release of SafeNet Authentication Client (SAC) version 10.2 for Mac (Post GA R2).

This version resolves known issues and features the following:

• Support for MacOS 10.15 Catalina
• Apple Notarization support

SAC 10.2 for Mac (Post GA R2) is now available for download from the Customer Support Portal KB0021012.

Thales is pleased to announce the release of version 2.4.0 of the Luna EFT Payment HSM.

This release of Luna EFT Payment HSM introduces key features expanding the HSM’s capabilities in terms of key management, backup and enhancement of the latest payment standards. This includes:

RSA Key Block Support
Below host functions are updated to generate RSA key block in Key Spec Format 18 as per TR-31:2018:

• GENERATE-RSA-KEY-PAIR (EE9001)
• IMPORT-PUBLIC-KEY (EE9003)

Below host functions are updated to support RSA key block in Key Spec Format 18:

• • SIGN-DATA (EE9005)
  • VERIFY-SIGNED-DATA (EE9006)
  • PUBLIC-KEY-OPERATIONS (EE9009)
  • PRIVATE-KEY-OPERATIONS (EE9010)
  • KEY-RETRIEVE-OPERATION (EE9012)

AES KTPV Support in OBM Host Functions
Below host functions are updated to support 256 bit AES KTPV:

• OBM-SET-PIN (EE3004)
• OBM-VERIFY-PIN-HASH (EE3005)
• OBM-CHANGE-PIN-HASH (EE3006)
• OBM-PRINT-PIN (EE3008)
• OBM-MIGRATE-PIN-3624-TPV (EE3009)
• OBM-GENERATE-RANDOM-PIN (EE3017)
• OBM-PRINT-ENCRYPTED-PIN (EE3018)
• OBM-SET-PIN-TPV (EE3020)

Union Pay International (UPI) Enhancements
Below host functions are updated to support transaction processing for UPI scheme:

• EMV-VERIFY-AC-GEN-ARPC (EE2018)
• EMV-AC-GEN-MULTI (EE2019)
• EMV-SCRIPT-CRYPTO-MULTI (EE2020)
• EMV-PIN-CHANGE-UNBLOCK-MULTI (EE2021)

AMB Host Keys
Key management for the 27 AMB host keys has been merged.

Network Key Transfer on Luna EFT Web Console
NKT transfer page is added to enable import and export of Network Key Transfer package on the Luna EFT web console.

Console Enhancements

Lush

Added Lush Commands

Below is a new Lush command added:

• List/Delete audit log files: This command is used to list/delete audit log files uploaded on HSM for an audit user

Updated Lush Commands

• View KVC: View KVC command is updated to display Audit MAC key status.
• Delete Key: Delete key Lush command is updated to delete KTP key.
• Key management command: Key management command is updated to generate, view, delete, backup and restore AES 256 bit KTPV key.

Web Console

• Partition restart option: A new button is added to restart a partition after SSL and host services configuration on the Luna EFT web console under the Partition Owner role. This enables Partition Owner to restart the partition after configuring all the settings.
  
• Content update: MDC-2 is renamed as HASH_ISO_10118 on the KCV View page.

Other Enhancements

• Host Functions Update
  • • RTMK-4500 (4500): This host function is updated to support encrypted session keys (KMACr, KPEr and KDr) in the request field as optional.
• KM-MIGRATE (12): This host function is updated to support Key Spec format 15 

OpenSSL Version Update

• OpenSSL version is updated to 1.1.1d.

NTP Version Update

• NTP version is updated from 4.2.8p12 to 4.2.8p13.

Please go to the Customer Support Portal* to download the EFT 2.4.0 Software Release and the Customer Release Notes (use Document Number: KB0020981).

*Log in required.  Contact technical.support.DIS@thalesgroup.com  for assistance.

Thales is excited to introduce a new and improved way for customers and partners to access Thales HSM product documentation for Luna HSMs, ProtectServer HSMs and Crypto Command Center.

The online Thales GP HSM Documentation Portal is available 24/7, optimized for all devices (desktop, laptop, tablet, phone), and no login is required.

This is to announce the end-of-support dates for SafeNet ProtectV software releases. Customers are encouraged to transition to the latest version of SafeNet ProtectV for continued full disk encryption of physical servers, virtual machines, and cloud instances to securely run sensitive workloads.

Table 1: EoS Milestone Impact/Definition  

Table 2: Product Versions and Corresponding EoS Milestone Deadlines 

(login for portal required)

Customers are recommended to upgrade to below or higher version of SafeNet ProtectV in order to continue using the latest and supported SafeNet ProtectV releases:

• SafeNetProtectV v4.10.0

Questions?

Please contact your Gemalto Sales Representative or see the Thales Technical Support Centre page for more information (log-in required).

To continue improving file encryption capabilities and adhere to Thales software life cycle policy we are announcing end-of- support (“EoS”) for various previous versions of SafeNet ProtectFile. Please see the milestone descriptions and timelines, as well as products affected by this announcement and recommended migration paths in the tables below.

(Please note:  Log in for portal required to access links.)

Table 1: EoS Milestone Impact/Definition

Table 2: Product Versions and Corresponding EoS Milestone Deadlines 

Customers are recommended to upgrade to below or higher version of SafeNet ProtectFile in order to continue using the latest and supported SafeNet ProtectFile releases:

• SafeNet ProtectFile Windows 8.12.0

• SafeNet ProtectFile Linux 8.11.2

Questions?

Please contact your Gemalto Sales Representative or see the Thales Technical Support Centre page for more information (log-in required).

As part of our ongoing product update cycle, below are End-of-Life (EOL), End-of-Sale (EOS) reminders:

SafeNet Authentication Manager (SAM) OTP Licence

Effective as of May 31, 2020, SafeNet Authentication Manager (SAM) for OTP use cases will be End-of-Life (EOL).

For additional details please refer to the End-of-Sale announcement.

IDCore 3010A & IDCore 3010B

Effective as of May 31, 2020, we are planning to stop sales of IDCore 3010A and IDCore 3010B.

For additional details please refer to the End-of-Sale Announcement.

Interfacing with the Luna HSM and the Luna Cloud HSM service provided by DPoD requires a package called PKCS11js. The file index.d.ts provides a complete Javascript/Typescript API definition. A discussion of the full API is not presented here, however, index.d.ts is maintained by the pkcs11js author(s) and thus one should refer to it for any deficiencies or incompleteness in the use of the API here.

Graphene, also provides a simplistic (although proprietary) Object Oriented interface for interacting with PKCS#11 devices, for some people this is the right level to build on. However, in this example we wish to interact directly with the PKCS#11 API, so PKCS11js is the package to use.

PKCS#11 (also known as CryptoKI or PKCS11) is the standard interface for interacting with hardware crypto devices such as Smart Cards and Hardware Security Modules (HSMs) such as the SafeNet Luna and/or DPoD.

If you would like a 30 day free trial of DPoD please click here.

Installation of node, npm and pkcs11js

On linux, install node npm, then use npm to install the pkcs11js module. You can install these globally or locally within the folder tree of your specific application.

$ yum install node
$ yum install npm
$ npm install pkcs11js

The sample npm install command above is for a local installation. Consult npm help to install globally. Basically, you will need to run the following from the linux command line for each bash session or ensure the environment is set accordingly:

$ export NODE_PATH=`npm root -g`

Also, you will need to install a Luna or DPoD client. The location of the libcklog2.so or libCryptoki2.so libraries will be needed for the sample code below.

Examples

All examples are provided inline here as well as in separate files for download.

It is assumed the reader has a working knowledge of JavaScript.

PKCS#11 allows for the API to receive a null buffer and have the API return the required size, however, pkcs11js does not allow for this. One must provide the proper allocated buffer upon the first call or an error will be returned.

The examples are just that, examples. One should keep in mind that just because a sample gets slot or session info then that doesn’t imply you need to get that same info *unless* your application needs to use that info.

Also, sessions in PKCS#11 need to be explicitly managed by the application. Thus if you open a session and authenticate a r/w session by logging in then your app must track that session and what your app is doing with that session. The PKCS#11 spec does not require enforcement of automatic session management. If you open a session and login then your app should then logout and close that session after it is finished with those resources.

Example #1 – get all mechanisms from the Luna/DPoD partition

var pkcs11js = require("pkcs11js");

var pkcs11 = new pkcs11js.PKCS11();
pkcs11.load("<path_to_p11_library>/libcklog2.so");
//OR
pkcs11.load("<path_to_p11_library>/libCryptoki2.so");
//e.g.
pkcs11.load("/usr/safenet/lunaclient/lib/libCryptoki2_64.so");

pkcs11.C_Initialize();

try {
    // Getting info about PKCS11 Module
    var module_info = pkcs11.C_GetInfo();

    // Getting list of slots
    var slots = pkcs11.C_GetSlotList(true);
    var slot = slots[0];

    // Getting info about slot.  Do this if you need this info.
    var slot_info = pkcs11.C_GetSlotInfo(slot);
    // Getting info about token.  Do this if you need this info.
    var token_info = pkcs11.C_GetTokenInfo(slot);

    // Getting info about Mechanism.  Do this if you need this info.
    var mechs = pkcs11.C_GetMechanismList(slot);
    var mech_info = pkcs11.C_GetMechanismInfo(slot, mechs[0]);

    /**
    * Your app code here
    */
    console.log("mechs:", mechs);

}
catch(e){
    console.error(e);
}
finally {
    pkcs11.C_Finalize();
}

Example #2 – create an AES symmetric key

var pkcs11js = require("pkcs11js");

var pkcs11 = new pkcs11js.PKCS11();
pkcs11.load("<path_to_p11_library>/libcklog2.so");
//OR
pkcs11.load("<path_to_p11_library>/libCryptoki2.so");
//e.g.
pkcs11.load("/usr/safenet/lunaclient/lib/libCryptoki2_64.so");

pkcs11.C_Initialize();

try {
    // Getting info about PKCS11 Module.  Do this if you need this info.
    var module_info = pkcs11.C_GetInfo();

    // Getting list of slots
    var slots = pkcs11.C_GetSlotList(true);
    var slot = slots[0];

    //Sessions in PKCS#11 need to be explicitly managed by the application.  Thus if you open a session and
    //authenticate a r/w session by logging in then your app must track that session and what your app is
    //doing with that session.  The PKCS#11 spec does not require enforcement of automatic session management.
    //If you open a session and login then your app should then logout and close that session after it is
    //finished with those resources.
    var session = pkcs11.C_OpenSession(slot, pkcs11js.CKF_RW_SESSION | pkcs11js.CKF_SERIAL_SESSION);

    // Getting info about Session.  Do this if you *need* to use this info.
    var info = pkcs11.C_GetSessionInfo(session);
    pkcs11.C_Login(session, 1, "userpin");

    /**
    * Your app code here
    */
    var template = [
        { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
        { type: pkcs11js.CKA_TOKEN, value: false },
        { type: pkcs11js.CKA_LABEL, value: "My AES Key" },
        { type: pkcs11js.CKA_VALUE_LEN, value: 256 / 8 },
        { type: pkcs11js.CKA_ENCRYPT, value: true },
        { type: pkcs11js.CKA_DECRYPT, value: true },
    ];
    var key = pkcs11.C_GenerateKey(session, { mechanism: pkcs11js.CKM_AES_KEY_GEN }, template);
        pkcs11.C_Logout(session);
        pkcs11.C_CloseSession(session);
    console.log("key handle:",key.toJSON());

}
catch(e){
    console.error(e);
}
finally {
    pkcs11.C_Finalize();
}

Example #3 – create an AES symmetric key and use it, via CBC mechanism, to encrypt and decrypt some data

var pkcs11js = require("pkcs11js");

var pkcs11 = new pkcs11js.PKCS11();
pkcs11.load("<path_to_p11_library>/libcklog2.so");
//OR
pkcs11.load("<path_to_p11_library>/libCryptoki2.so");
//e.g.
pkcs11.load("/usr/safenet/lunaclient/lib/libCryptoki2_64.so");

pkcs11.C_Initialize();

try {
    // Getting info about PKCS11 Module
    var module_info = pkcs11.C_GetInfo();

    // Getting list of slots
    var slots = pkcs11.C_GetSlotList(true);
    var slot = slots[0];
    console.log("slots:");
    var len = slots.length;

    for (var i = 0; i < len; i++) {
        var myObject = slots[i];
        console.log(myObject.toJSON());
    }

    //Sessions in PKCS#11 need to be explicitly managed by the application.  Thus if you open a session and
    //authenticate a r/w session by logging in then your app must track that session and what your app is
    //doing with that session.  The PKCS#11 spec does not require enforcement of automatic session management.
    //If you open a session and login then your app should then logout and close that session after it is
    //finished with those resources.
    var session = pkcs11.C_OpenSession(slot, pkcs11js.CKF_RW_SESSION | pkcs11js.CKF_SERIAL_SESSION);

    // Getting info about Session.  Do this if you *need* to use this info.
    var info = pkcs11.C_GetSessionInfo(session);
    console.log("slot: 0x" + slot.toString("hex"));
    console.log("session slot ID: 0x" + info.slotID.toString("hex"));
    console.log("session state:" + info.state);
    console.log("session flags:" + info.flags);
    console.log("session deviceError:" + info.deviceError);

    pkcs11.C_Login(session, 1, "userpin");

    /**
    * Your app code here
    */
    var template = [
        { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
        { type: pkcs11js.CKA_TOKEN, value: false },
        { type: pkcs11js.CKA_LABEL, value: "My AES Key" },
        { type: pkcs11js.CKA_VALUE_LEN, value: 256 / 8 },
        { type: pkcs11js.CKA_ENCRYPT, value: true },
        { type: pkcs11js.CKA_DECRYPT, value: true },
    ];
    var secretKey = pkcs11.C_GenerateKey(session, { mechanism: pkcs11js.CKM_AES_KEY_GEN }, template);
    console.log("key handle:",secretKey.toJSON());

    var cbc_param = pkcs11.C_GenerateRandom(session, new Buffer(16), 16);

    pkcs11.C_EncryptInit(
        session,
        {
            mechanism: pkcs11js.CKM_AES_CBC,
            parameter: cbc_param
        },
        secretKey
    );

    var enc = new Buffer(0);
    enc = Buffer.concat([enc, pkcs11.C_EncryptUpdate(session, new Buffer("Incomming data 1"), new Buffer(16))]);
    enc = Buffer.concat([enc, pkcs11.C_EncryptUpdate(session, new Buffer("Incomming data N"), new Buffer(16))]);
    enc = Buffer.concat([enc, pkcs11.C_EncryptFinal(session, new Buffer(16))]);

    console.log("enc length:" + enc.length);
    console.log("0x" + enc.toString("hex"));

    pkcs11.C_DecryptInit(
        session,
        {
            mechanism: pkcs11js.CKM_AES_CBC,
            parameter: cbc_param
        },
        secretKey
    );

    var dec = new Buffer(0);
    dec = Buffer.concat([dec, pkcs11.C_DecryptUpdate(session, enc, new Buffer(32))]);
    dec = Buffer.concat([dec, pkcs11.C_DecryptFinal(session, new Buffer(16))]);

    console.log(dec.toString());
}
catch(e){
    console.error(e);
}
finally {
    pkcs11.C_Logout(session);
    pkcs11.C_CloseSession(session);
    pkcs11.C_Finalize();
}

Example #4 – create an AES symmetric key and use it, via GCM mechanism, to encrypt and decrypt some data

var pkcs11js = require("pkcs11js");

//what has been implemented in pkcs11js as of 2020-01-02
const MechParams = {
  AesCBC: 1,
  AesCCM: 2,
  AesGCM: 3,
  RsaOAEP: 4,
  RsaPSS: 5,
  EcDH: 6,
  AesGCMv240: 7,
}

var pkcs11 = new pkcs11js.PKCS11();
pkcs11.load("<path_to_p11_library>/libcklog2.so");
//OR
pkcs11.load("<path_to_p11_library>/libCryptoki2.so");
//e.g.
pkcs11.load("/usr/safenet/lunaclient/lib/libCryptoki2_64.so");

pkcs11.C_Initialize();

try {
    // Getting info about PKCS11 Module
    var module_info = pkcs11.C_GetInfo();

    // Getting list of slots
    var slots = pkcs11.C_GetSlotList(true);
    var slot = slots[0];

    //Sessions in PKCS#11 need to be explicitly managed by the application.  Thus if you open a session and
    //authenticate a r/w session by logging in then your app must track that session and what your app is
    //doing with that session.  The PKCS#11 spec does not require enforcement of automatic session management.
    //If you open a session and login then your app should then logout and close that session after it is
    //finished with those resources.
    var session = pkcs11.C_OpenSession(slot, pkcs11js.CKF_RW_SESSION | pkcs11js.CKF_SERIAL_SESSION);

    // Getting info about Session.  Do this if you *need* to use this info.
    var info = pkcs11.C_GetSessionInfo(session);
    console.log("slot: 0x" + slot.toString("hex"));
    console.log("session slot ID: 0x" + info.slotID.toString("hex"));
    console.log("session state:" + info.state);
    console.log("session flags:" + info.flags);
    console.log("session deviceError:" + info.deviceError);

    pkcs11.C_Login(session, 1, "userpin");

    /**
    * Your app code here
    */
    var template = [
        { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
        { type: pkcs11js.CKA_TOKEN, value: false },
        { type: pkcs11js.CKA_LABEL, value: "My AES Key" },
        { type: pkcs11js.CKA_VALUE_LEN, value: 256 / 8 },
        { type: pkcs11js.CKA_ENCRYPT, value: true },
        { type: pkcs11js.CKA_DECRYPT, value: true },
    ];
    var secretKey = pkcs11.C_GenerateKey(session, { mechanism: pkcs11js.CKM_AES_KEY_GEN }, template);
    console.log("key handle:",secretKey.toJSON());

    //Find the object (key in this case) to use below
    var searchTemplate = [
        { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
        { type: pkcs11js.CKA_TOKEN, value: false },
        { type: pkcs11js.CKA_LABEL, value: "My AES Key" },
    ];
    pkcs11.C_FindObjectsInit(session, searchTemplate);
    objects = pkcs11.C_FindObjects(session, 1);
    pkcs11.C_FindObjectsFinal(session);
    console.log("objects found:", objects.length);
    if ( objects.length == 1) {
      var foundKey = objects[0];
      console.log("objects found:", foundKey);
      //clobber generated key handle with found key handle
      secretKey = foundKey;
    }

    // Generate AES GCM parameters
    // Generate random IV and setup IV params
    var iv = pkcs11.C_GenerateRandom(session, new Buffer(12), 12);
    // Generate Additional Authentication Data(AAD) bytes
    var aad = new Buffer("AAAD");
    // Generate iv bits size
    var ivBits = 12*8;//96
    // Generate tag bits size
    var tagBits = 128;
    var type = MechParams.AesGCM;
    console.log("MechParams.AesGCM=",MechParams.AesGCM);
    var gcm_params = {
      iv,
      ivBits: iv.length * 8,
      aad: aad,
      tagBits,
      type,
    };

    pkcs11.C_EncryptInit(
        session,
        {
            mechanism: pkcs11js.CKM_AES_GCM,
            parameter: gcm_params
        },
        secretKey
    );

    var enc = new Buffer(0);
    enc = Buffer.concat([enc, pkcs11.C_EncryptUpdate(session, new Buffer("Incomming data 1"), new Buffer(0))]);
    enc = Buffer.concat([enc, pkcs11.C_EncryptUpdate(session, new Buffer("Incomming data N"), new Buffer(0))]);
    //AES CGCM is a special case in that the encrypt final, not encrypt update, is where the full buffer is required
    enc = Buffer.concat([enc, pkcs11.C_EncryptFinal(session, new Buffer(48))]);

    console.log("enc length:" + enc.length);
    console.log("0x" + enc.toString("hex"));

    pkcs11.C_DecryptInit(
        session,
        {
            mechanism: pkcs11js.CKM_AES_GCM,
            parameter: gcm_params
        },
        secretKey
    );

    var dec = new Buffer(0);
    dec = Buffer.concat([dec, pkcs11.C_DecryptUpdate(session, enc, new Buffer(32))]);
    dec = Buffer.concat([dec, pkcs11.C_DecryptFinal(session, new Buffer(32))]);

    console.log("dec length:" + dec.length);
    console.log(dec.toString());
}
catch(e){
    console.error(e);
}
finally {
    pkcs11.C_Logout(session);
    pkcs11.C_CloseSession(session);
    pkcs11.C_Finalize();
}

Example #5 – create an RSA asymmetric key pair and use it to sign and verify some data

var pkcs11js = require("pkcs11js");

var pkcs11 = new pkcs11js.PKCS11();
pkcs11.load("<path_to_p11_library>/libcklog2.so");
//OR
pkcs11.load("<path_to_p11_library>/libCryptoki2.so");
//e.g.
pkcs11.load("/usr/safenet/lunaclient/lib/libCryptoki2_64.so");

pkcs11.C_Initialize();

try {
    // Getting info about PKCS11 Module
    var module_info = pkcs11.C_GetInfo();

    // Getting list of slots
    var slots = pkcs11.C_GetSlotList(true);
    var slot = slots[0];

    //Sessions in PKCS#11 need to be explicitly managed by the application.  Thus if you open a session and
    //authenticate a r/w session by logging in then your app must track that session and what your app is
    //doing with that session.  The PKCS#11 spec does not require enforcement of automatic session management.
    //If you open a session and login then your app should then logout and close that session after it is
    //finished with those resources.
    var session = pkcs11.C_OpenSession(slot, pkcs11js.CKF_RW_SESSION | pkcs11js.CKF_SERIAL_SESSION);

    // Getting info about Session.  Do this if you *need* to use this info.
    var info = pkcs11.C_GetSessionInfo(session);
    console.log("slot: 0x" + slot.toString("hex"));
    console.log("session slot ID: 0x" + info.slotID.toString("hex"));
    console.log("session state:" + info.state);
    console.log("session flags:" + info.flags);
    console.log("session deviceError:" + info.deviceError);

    pkcs11.C_Login(session, 1, "userpin");

    /**
    * Your app code here
    */
    var publicKeyTemplate = [
        { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_PUBLIC_KEY },
        { type: pkcs11js.CKA_TOKEN, value: false },
        { type: pkcs11js.CKA_LABEL, value: "My RSA Public Key" },
        { type: pkcs11js.CKA_PUBLIC_EXPONENT, value: new Buffer([1, 0, 1]) },
        { type: pkcs11js.CKA_MODULUS_BITS, value: 2048 },
        { type: pkcs11js.CKA_VERIFY, value: true }
    ];
    var privateKeyTemplate = [
        { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_PRIVATE_KEY },
        { type: pkcs11js.CKA_TOKEN, value: false },
        { type: pkcs11js.CKA_LABEL, value: "My RSA Private Key" },
        { type: pkcs11js.CKA_SIGN, value: true },
    ];
    var keys = pkcs11.C_GenerateKeyPair(session, { mechanism: pkcs11js.CKM_RSA_PKCS_KEY_PAIR_GEN }, publicKeyTemplate, privateKeyTemplate);

    pkcs11.C_SignInit(session, { mechanism: pkcs11js.CKM_SHA256_RSA_PKCS }, keys.privateKey);

    pkcs11.C_SignUpdate(session, new Buffer("Incomming message 1"));
    pkcs11.C_SignUpdate(session, new Buffer("Incomming message N"));

    var signature = pkcs11.C_SignFinal(session, Buffer(256));


    pkcs11.C_VerifyInit(session, { mechanism: pkcs11js.CKM_SHA256_RSA_PKCS }, keys.publicKey);

    pkcs11.C_VerifyUpdate(session, new Buffer("Incomming message 1"));
    pkcs11.C_VerifyUpdate(session, new Buffer("Incomming message N"));

    var verify = pkcs11.C_VerifyFinal(session, signature);

}
catch(e){
    console.error(e);
}
finally {
    pkcs11.C_Logout(session);
    pkcs11.C_CloseSession(session);
    pkcs11.C_Finalize();
}

Example #6 – create an EC asymmetric key pair and use it to sign and verify some data

var pkcs11js = require("pkcs11js");

var pkcs11 = new pkcs11js.PKCS11();
pkcs11.load("<path_to_p11_library>/libcklog2.so");
//OR
pkcs11.load("<path_to_p11_library>/libCryptoki2.so");
//e.g.
pkcs11.load("/usr/safenet/lunaclient/lib/libCryptoki2_64.so");

pkcs11.C_Initialize();

try {
    // Getting info about PKCS11 Module
    var module_info = pkcs11.C_GetInfo();

    // Getting list of slots
    var slots = pkcs11.C_GetSlotList(true);
    var slot = slots[0];

    //Sessions in PKCS#11 need to be explicitly managed by the application.  Thus if you open a session and
    //authenticate a r/w session by logging in then your app must track that session and what your app is
    //doing with that session.  The PKCS#11 spec does not require enforcement of automatic session management.
    //If you open a session and login then your app should then logout and close that session after it is
    //finished with those resources.
    var session = pkcs11.C_OpenSession(slot, pkcs11js.CKF_RW_SESSION | pkcs11js.CKF_SERIAL_SESSION);

    // Getting info about Session.  Do this if you *need* to use this info.
    var info = pkcs11.C_GetSessionInfo(session);
    console.log("slot: 0x" + slot.toString("hex"));
    console.log("session slot ID: 0x" + info.slotID.toString("hex"));
    console.log("session state:" + info.state);
    console.log("session flags:" + info.flags);
    console.log("session deviceError:" + info.deviceError);

    pkcs11.C_Login(session, 1, "userpin");

    /**
    * Your app code here
    */
    var publicKeyTemplate = [
        { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_PUBLIC_KEY },
        { type: pkcs11js.CKA_TOKEN, value: false },
        { type: pkcs11js.CKA_LABEL, value: "My EC Public Key" },
        { type: pkcs11js.CKA_EC_PARAMS, value: new Buffer("06082A8648CE3D030107", "hex") }, // secp256r1
        { type: pkcs11js.CKA_VERIFY, value: true },
    ];
    var privateKeyTemplate = [
        { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_PRIVATE_KEY },
        { type: pkcs11js.CKA_TOKEN, value: false },
        { type: pkcs11js.CKA_LABEL, value: "My EC Private Key" },
        { type: pkcs11js.CKA_DERIVE, value: true },
        { type: pkcs11js.CKA_SIGN, value: true },
    ];
    var keys = pkcs11.C_GenerateKeyPair(session, { mechanism: pkcs11js.CKM_EC_KEY_PAIR_GEN }, publicKeyTemplate, privateKeyTemplate);

    pkcs11.C_SignInit(session, { mechanism: pkcs11js.CKM_ECDSA }, keys.privateKey);

    pkcs11.C_SignUpdate(session, new Buffer("Incomming message 1"));
    pkcs11.C_SignUpdate(session, new Buffer("Incomming message N"));

    var signature = pkcs11.C_SignFinal(session, Buffer(256));

    pkcs11.C_VerifyInit(session, { mechanism: pkcs11js.CKM_ECDSA }, keys.publicKey);

    pkcs11.C_VerifyUpdate(session, new Buffer("Incomming message 1"));
    pkcs11.C_VerifyUpdate(session, new Buffer("Incomming message N"));

    var verify = pkcs11.C_VerifyFinal(session, signature);

}
catch(e){
    console.error(e);
}
finally {
    pkcs11.C_Logout(session);
    pkcs11.C_CloseSession(session);
    pkcs11.C_Finalize();
}

Thales is pleased to announce the introduction of additional tiles to the DPoD Marketplace.
Partner tiles provide direct links to Thales Partners who offer solutions integrated with the DPoD platform.

Newly Introduced Tiles

Keyfactor Code Assure
Keyfactor Code Assure centralizes code signing operations into a single intuitive platform. Developers can have the freedom to quickly sign any code, from anywhere, while keys remain locked in a secure vault.

Keyfactor Control
Keyfactor Control makes it easy and affordable to embed high-assurance secure identity into every step of the IoT device lifecycle. Through design, manufacturing, deployment and ongoing management, Keyfactor Control provides the identity foundation you need to produce and sustain the most secure devices on the market – giving you the freedom to design great products and the confidence that they’ll deploy and remain secure throughout their use.

Keyfactor Command
Secure digital identity for the entire enterprise
Keyfactor Command is the world’s most complete and scalable cloud-based certificate management platform, providing the freedom to secure every identity across the enterprise. Get all the benefits of owning PKI without the risks. Absolutely, positively need to run it yourself? Keyfactor Command is also available for client-hosted environments.