Restriction to extended evaluations
For openCryptoki versions up to 3.8, the EP11 token only supported those functions and mechanisms that are available on an adapter that is configured to comply to the extended evaluations. These extended evaluations meet public sector requirements with regard to both FIPS and Common Criteria certifications. For more details, see the IBM z14 Technical Guide.
Starting with the current version of the EP11 enablement, you can control the use of certain mechanisms within a domain of an EP11 cryptographic coprocessor by configuring this coprocessor by means of access control points (ACPs). So except for one restriction, the use of mechanisms is no longer restricted to the limitations imposed by the extended evaluations.
Read Filtering mechanisms for information
on how to manage the access to PKCS #11
mechanisms using ACPs. The available mechanisms and their attributes are then reflected by the
openCryptoki functions
C_GetMechanismList and C_GetMechanismInfo. However, there is
one restriction on RSA mechanisms that cannot be reflected in the result of
C_GetMechanismInfo: The CKA_PUBLIC_EXPONENT must have a value of
at least 17.