Edition SC34-7730-03: Updates for openCryptoki versions 3.23 - 3.25

This edition describes new features of openCryptoki versions 3.23 - 3.25.

Token support

  • openCryptoki now offers support for the CIPHER key variant of AES secure keys for CCA tokens. For compatibility reasons, the default AES secure key variant remains AES DATA keys, but the user can configure the use of AES CIPHER keys token-wide, as well as on a per-key creation operation basis. Prerequisite of this new support is CCA version 7.1 or later.
  • Support of the SHAKE mechanisms is added to the ICA token and to the Soft token.
  • Support of the SHA3 and SHA3_HMAC mechanisms is added to the EP11 token.
  • The CKM_RSA_PKCS_OAEP mechanism of the CCA token now also supports the hashing mechanisms SHA224, SHA256, and SHA512 for RSA-OEAP on encrypt or decrypt with CCA version 8.1 or later starting with openCryptoki version 3.24.
  • Support of SHA3 mechanisms is added to the openCryptoki CCA token, the ICA token, and the Soft token. CCA version 8.1 or later is required for using the new mechanisms in the CCA token. For the ICA token and the Soft token there are no prerequisites.
  • The IBM®-specific mechanism CKM_IBM_DILITHIUM is now also available with the CCA token. This mechanism can be used to generate Dilithium keys of different variants, and it can also be used to perform sign and verify operations with Dilithium keys.
  • The EP11 token can now operate in a new FIPS session mode. In this mode, only FIPS 140-2 compliant secure keys are used. An EP11 APQN in FIPS compliant mode requires the use of the FIPS session mode.
  • Support of the following PKCS #11 standard mechanism to wrap and unwrap keys is added to the CCA token, the ICA token, and the Soft token:
    • CKM_RSA_AES_KEY_WRAP

    The ICA token and the Soft token additionally support the following mechanisms to wrap and unwrap keys :

    • CKM_ECDH_AES_KEY_WRAP
    • CKM_AES_KEY_WRAP
    • CKM_AES_KEY_WRAP_PAD
    • CKM_AES_KEY_WRAP_KWP
    • CKM_AES_KEY_WRAP_PKCS7
  • With the CCA token, you can now derive AES keys with the help of the ECDH key agreement protocol by using the C_DeriveKey() function API with the CKM_ECDH1_DERIVE mechanism.
  • Also, with the CCA token, applications can now utilize the PKCS #11 CKM_AES_GCM mechanism to perform authenticated data encryption and decryption using AES in Galois/Counter mode (GCM).
  • Protected keys can now also be extractable in an EP11 token. Older EP11 adapter firmware enforces the restriction that keys cannot simultaneously have CKA_EXTRACTABLE=TRUE and CKA_IBM_PROTKEY_EXTRACTABLE=TRUE. With newer adapter firmware this restriction is removed. You can specify two new values for the PKEY_MODE option in the EP11 token configuration file to enable protected key support for extractable keys only, or for all keys.
  • The EP11 token supports exporting and importing EP11 secure key blobs. Both functions use the CKA_IBM_OPAQUE attribute: importing sets the key blob in this attribute and exporting retrieves the key blob from this attribute.

New openCryptoki features

  • An openCryptoki administrator can now use UNIX access control to configure user access to the token directories (including the respective token object repositories) in a way that a certain user can access the token directory of one token, but not the token directory of another token.

    To support the administrator to correctly set the owner of the token directories, a tool called pkcstok_admin is provided.

  • The p11-kit utility is enhanced to additionally support three IBM-specific mechanisms: CKM_IBM_BTC_DERIVE, CKM_IBM_ECDSA_OTHER, and CKM_IBM_KYBER.

    The p11-kit utility can especially be used to provide remote PKCS #11 API access to openCryptoki tokens through an RPC-like communication protocol.

  • You can use the new p11kmip tool for exporting AES secret keys from a token in a PKCS #11 slot to a KMIP server or for importing AES secret keys from a KMIP server to a PKCS #11 token. RSA asymmetric key pairs are used for wrapping and unwrapping the secret key material during and after the transmission.