Home > Operational Management > Checking PKCS11 HSM Functionality

Checking PKCS11 HSM Functionality

ADSS Server contains a test utility called "test_pkcs11" that performs a full interoperability test on a PKCS#11 device. This is useful for confirming that an HSM, smartcard or a crypto USB token can be controlled properly on a given platform using the current firmware and device driver software. The test utility executes a number of test cases that covers all the operations that can be performed by ADSS Server. A detailed report is generated that can be used to analyse any faults. The test utility tests SHA2, SHA3 and RipeMD Hashing Algorithms. It also tests the key sizes for RSA and ECDSA key algorithms as well as performs testing for key wrapping (derive dynamic key wrapping), key unwrapping, HSM connections and HMAC Algorithms. Some issues may be expected if certain algorithms are not supported.

The list of algorithms supported by PKCS#11 for ADSS Server are as follows: 

Item Description
HMAC Algorithms
The utility tests the following HMAC Algorithms:  
  • Hmac SHA1
  • Hmac SHA256
  • Hmac SHA384
  • Hmac SHA512
  • Hmac MD5
Hashing Algorithms 
The utility tests the following Hashing Algorithms which are categorized on the basis of supported Key Algorithms i.e. RSA and ECDSA:  
  • RSA: SHA1, SHA256, SHA384SHA512SHA3-224SHA3-256SHA3-384SHA3-512, RipeMd128 and RipeMd160
  • ECDSA: SHA1, SHA224, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384 and SHA3-512
Key Lengths
The utility tests the following Key Lengths which are categorized on the basis of supported Key Algorithms i.e. RSA and ECDSA:  
  • RSA: 1024, 1280, 1536204830724096 and 8192
  • ECDSA: We can categorize the key lengths supported for ECDSA into the respective curve types applied while key generation i.e. NIST P, SEC2 K, Brainpool R and Brainpool T. The list of supported key lengths for respective curve type are as follows: 
    • NIST P: 160, 192, 224, 256, 384 and 521
    • SEC2 K: 256
    • Brainpool R & Brainpool T: 160, 192, 224, 256, 320, 384 and 521

To run the test utility, follow these steps:

Windows OS

  1. Launch a windows command prompt.
  2. Change Directory (cd) to [ADSS Server Home]\util\bin\
  3. Type the following command to run the test utility

    test_pkcs11.bat [PKCS#11 Name] [PKCS#11 Module library] [PKCS#11 Slot id] [PKCS#11 Slot PIN] [FIPS Mode true or false] [Local Path for PKCS#11 Log File] [Logging Level INFO or DEBUG] [HSM Vendor UTIMACO or THALES or SAFENET] [Key Template JSON File Path]
For example:

test_pkcs11.bat aladdin etpkcs11.dll 0 password false C:\Testing\pkcs11.log DEBUG UTIMACO [ADSS-Installation-Dir]\conf\hsm\keytemplates\default_utimaco_key_template.json


If ADSS Server version is older than v5.9 then do not use the parameter [HSM Vendor UTIMACO or THALES or SAFENET]
 UNIX OS

  1. Launch the Terminal.
  2. Change Directory (cd) to [ADSS Server Home]\util\bin\
  3. Type the following command to run the test utility:

    ./test_pkcs11.sh [PKCS#11 Friendly Name] [PKCS#11 Module] [PKCS#11 Slot] [PKCS#11 Slot PIN] [FIPS Mode true or false] [Local Path for PKCS#11 Log File] [Logging Level INFO or DEBUG] [HSM Vendor UTIMACO or THALES or SAFENET] [Key Template JSON File Path]
For example:

./test_pkcs11.sh aladdin libeTPkcs11.so 0 password false /home/adss-test/pkcs11.log DEBUG UTIMACO [ADSS-Installation-Dir]\conf\hsm\keytemplates\default_utimaco_key_template.json
Open the log file (pkcs11.log), if unexpected issues are seen then check that the HSM firmware, HSM or smartcard device driver are at the current version and otherwise contact Ascertia support at support@ascertia.com.

​If ADSS Server version is older than v5.9 then do not use the parameter [HSM Vendor UTIMACO or THALES or SAFENET]

See also

Creating a New Hardware Crypto Profile
Starting & Stopping ADSS Server
Accessing the ADSS Server Console
Adding an Operator to ADSS Server
Managing Backups
Managing Disk Space
Upgrading ADSS Server
Trace Logs Export Utility