Updates for the openCryptoki version 3.10 EP11 token type
The following enhancements are implemented for the EP11 enablement for openCryptoki version 3.10:
- All mechanisms provided by the EP11 token
type that are defined in PKCS #11 v2.40 are now
supported. See Table 1 for a
complete list of supported mechanisms for the EP11 token.
However, the EP11 token still supports the CKM_ECDH1_DERIVE mechanism according to PKCS #11 v2.20 (without key derivation function (KDF) and shared data).
- You can activate one or two session modes to limit the access to cryptographic objects in order
to improve security. The available session modes are the strict session mode or the
virtual HSM (VHSM) mode.
In strict session mode, for each new session, a unique EP11 session ID is generated. This prevents that a session key (if copied from a session) will be handled as a valid key by the EP11 crypto adapter even after the PKCS#11 session that generated the key has ended.
In virtual HSM (VHSM) mode, you can restrict keys to only that token that was used to generate it.
You can configure an EP11 token to use either one of the available modes, or both.
- You can now set an option that makes CK_TRUE the default value for the CKA_SENSITIVE attribute when generating, unwrapping, or building secret keys with C_CreateObject. This eliminates a restriction with using EP11 library functions from earlier versions.
- The list of mechanisms returned by the C_GetMechanismList function is now filtered according to the (domain) control points configured in the cryptographic coprocessor.
- You can now import keys of type CKK_DH, CKK_DSA, and CKK_EC. See Importing keys for more information.
- The error handling when using EP11 library
functions is enhanced:
- User-friendly messages are issued into the SYSLOG during token initialization, when no CK_SESSION_INFO structure is available for providing meaningful reason codes.
- The use of return codes is adapted to better comply to the PKCS #11 standard.
- openCryptoki now supports multiple token instances of the same token type. This edition documents what to do to exploit this support for multiple tokens of type EP11.
- Starting with EP11 library version 2.0, as the default, the TKE uses the ep11TKEd daemon to authenticate with a Linux™ user who is member of a new ep11tke group, which is created during EP11 package installation.
- New tools are described in Tools and utilities:
- ep11info provides information about EP11 cryptographic coprocessors and about configured domains.
- pkcsep11_session allows to delete an EP11 session from EP11 cryptographic coprocessors left over by programs that did not terminate normally.