From 40e87ccf619be3cf15d62eb572485eb90d9b90d1 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Fri, 4 Jul 2025 15:22:24 +0200 Subject: [PATCH] Resolves: RHEL-73344, upgrade openCryptoki Resolves: RHEL-90590, basic support of AES-GCM Resolves: RHEL-72965, cca token support cipher keys Resolves: RHEL-72969, support for CKM_RSA_AES_KEY_WRAP for cca, ica and soft tokens Resolves: RHEL-75141, add a tool to import/export PKCS #11 keys from to a KMIP server Resolves: RHEL-75762, ep11 token: import and export of secure key objects Resolves: RHEL-85375, cca token: Support ECDH to derive AES keys Resolves: RHEL-85377, ep11 token: PKCS #11 3.0 - support SHA3 --- .gitignore | 1 + ...or-due-to-incompatible-pointer-types.patch | 66 ----------- opencryptoki-3.24.0-resource-leaks.patch | 75 ------------- ....patch => opencryptoki-3.25.0-p11sak.patch | 17 ++- opencryptoki.spec | 104 +++++++++++------- sources | 2 +- 6 files changed, 76 insertions(+), 189 deletions(-) delete mode 100644 opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch delete mode 100644 opencryptoki-3.24.0-resource-leaks.patch rename opencryptoki-3.24.0-p11sak.patch => opencryptoki-3.25.0-p11sak.patch (72%) diff --git a/.gitignore b/.gitignore index e234808..2ab896e 100644 --- a/.gitignore +++ b/.gitignore @@ -35,3 +35,4 @@ opencryptoki-2.3.1.tar.gz /opencryptoki-3.22.0.tar.gz /opencryptoki-3.23.0.tar.gz /opencryptoki-3.24.0.tar.gz +/opencryptoki-3.25.0.tar.gz diff --git a/opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch b/opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch deleted file mode 100644 index a0b77dd..0000000 --- a/opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch +++ /dev/null @@ -1,66 +0,0 @@ -commit e58d2086cf9268a1dd2431c64c6bcdd74c2c3233 -Author: Ingo Franzki -Date: Mon Sep 16 09:16:03 2024 +0200 - - COMMON: Fix compile error due to incompatible pointer types - - usr/lib/common/mech_openssl.c:4751:36: error: passing argument 2 of - 'get_sha_size' from incompatible pointer type [-Wincompatible-pointer-types] - 4751 | rc = get_sha_size(digest_mech, &mac_len); - - usr/lib/common/mech_openssl.c:4851:36: error: passing argument 2 of - 'get_sha_size' from incompatible pointer type [-Wincompatible-pointer-types] - 4851 | rc = get_sha_size(digest_mech, &mac_len); - - Closes: https://github.com/opencryptoki/opencryptoki/issues/809 - - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/common/mech_openssl.c b/usr/lib/common/mech_openssl.c -index 296b5e0a..500b6f91 100644 ---- a/usr/lib/common/mech_openssl.c -+++ b/usr/lib/common/mech_openssl.c -@@ -4731,6 +4731,7 @@ CK_RV openssl_specific_hmac(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data, - CK_RV rv = CKR_OK; - CK_BBOOL general = FALSE; - CK_MECHANISM_TYPE digest_mech; -+ CK_ULONG mac_len2; - - if (!ctx || !ctx->context) { - TRACE_ERROR("%s received bad argument(s)\n", __func__); -@@ -4748,11 +4749,12 @@ CK_RV openssl_specific_hmac(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data, - return rc; - } - -- rc = get_sha_size(digest_mech, &mac_len); -+ rc = get_sha_size(digest_mech, &mac_len2); - if (rc != CKR_OK) { - TRACE_ERROR("%s get_sha_size failed\n", __func__); - return rc; - } -+ mac_len = mac_len2; - - mdctx = (EVP_MD_CTX *) ctx->context; - -@@ -4833,6 +4835,7 @@ CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature, - CK_RV rv = CKR_OK; - CK_BBOOL general = FALSE; - CK_MECHANISM_TYPE digest_mech; -+ CK_ULONG mac_len2; - - if (!ctx || !ctx->context) - return CKR_OPERATION_NOT_INITIALIZED; -@@ -4848,11 +4851,12 @@ CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature, - return rc; - } - -- rc = get_sha_size(digest_mech, &mac_len); -+ rc = get_sha_size(digest_mech, &mac_len2); - if (rc != CKR_OK) { - TRACE_ERROR("%s get_sha_size failed\n", __func__); - return rc; - } -+ mac_len = mac_len2; - - if (signature == NULL) { - if (sign) { diff --git a/opencryptoki-3.24.0-resource-leaks.patch b/opencryptoki-3.24.0-resource-leaks.patch deleted file mode 100644 index f0c2598..0000000 --- a/opencryptoki-3.24.0-resource-leaks.patch +++ /dev/null @@ -1,75 +0,0 @@ -commit 66a18ffa057565b6bf292e50969ea27ce33b394c -Author: Than Ngo -Date: Tue Oct 29 13:41:23 2024 +0100 - - Fix resource leak - - 1. Defect type: RESOURCE_LEAK - 4. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:740:5: alloc_fn: Storage is returned from allocation function "malloc". - 5. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:740:5: var_assign: Assigning: "new_key->opaque_attr" = storage returned from "malloc(attrs[0].ulValueLen)". - 7. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:748:5: noescape: Resource "new_key->opaque_attr" is not freed or pointed-to in "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.] - 9. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:752:9: leaked_storage: Freeing "new_key" without freeing its pointer field "opaque_attr" leaks the storage that "opaque_attr" points to. - 750| if (!new_key->label) { - 751| print_error("Malloc of %lu bytes failed!", attrs[2].ulValueLen + 1); - 752|-> free(new_key); - 753| return 2; - 754| } - - 2. Defect type: RESOURCE_LEAK - 15. opencryptoki-3.24.0/usr/lib/common/mech_ec.c:1140:5: alloc_arg: "object_mgr_create_skel" allocates memory that is stored into "temp_obj". - 21. opencryptoki-3.24.0/usr/lib/common/mech_ec.c:1182:5: leaked_storage: Variable "temp_obj" going out of scope leaks the storage it points to. - 1180| free(derived_key); - 1181| - 1182|-> return rc; - 1183| } - 1184| - - Signed-off-by: Than Ngo - -diff --git a/usr/lib/common/mech_dh.c b/usr/lib/common/mech_dh.c -index b59ed852..79ac5b4d 100644 ---- a/usr/lib/common/mech_dh.c -+++ b/usr/lib/common/mech_dh.c -@@ -124,6 +124,8 @@ CK_RV dh_pkcs_derive(STDLL_TokData_t *tokdata, - if (rc != CKR_OK) { - TRACE_ERROR("template_update_attribute failed\n"); - free(new_attr); -+ object_free(temp_obj); -+ temp_obj = NULL; - return rc; - } - -diff --git a/usr/lib/common/mech_ec.c b/usr/lib/common/mech_ec.c -index be8f5218..b062dbfb 100644 ---- a/usr/lib/common/mech_ec.c -+++ b/usr/lib/common/mech_ec.c -@@ -1152,6 +1152,8 @@ CK_RV ecdh_pkcs_derive(STDLL_TokData_t *tokdata, SESSION *sess, - TRACE_ERROR("template_update_attribute failed\n"); - free(value_attr); - free(vallen_attr); -+ object_free(temp_obj); -+ temp_obj = NULL; - goto end; - } - -@@ -1160,6 +1162,8 @@ CK_RV ecdh_pkcs_derive(STDLL_TokData_t *tokdata, SESSION *sess, - if (rc != CKR_OK) { - TRACE_ERROR("template_update_attribute failed\n"); - free(vallen_attr); -+ object_free(temp_obj); -+ temp_obj = NULL; - goto end; - } - } -diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c -index ffbe3311..a3756c14 100644 ---- a/usr/sbin/pkcscca/pkcscca.c -+++ b/usr/sbin/pkcscca/pkcscca.c -@@ -749,6 +749,7 @@ int add_key(CK_OBJECT_HANDLE handle, CK_ATTRIBUTE *attrs, struct key **keys) - new_key->label = malloc(attrs[2].ulValueLen + 1); - if (!new_key->label) { - print_error("Malloc of %lu bytes failed!", attrs[2].ulValueLen + 1); -+ free(new_key->opaque_attr); - free(new_key); - return 2; - } diff --git a/opencryptoki-3.24.0-p11sak.patch b/opencryptoki-3.25.0-p11sak.patch similarity index 72% rename from opencryptoki-3.24.0-p11sak.patch rename to opencryptoki-3.25.0-p11sak.patch index a730c0b..0fd3a84 100644 --- a/opencryptoki-3.24.0-p11sak.patch +++ b/opencryptoki-3.25.0-p11sak.patch @@ -1,6 +1,6 @@ -diff -up opencryptoki-3.24.0/Makefile.am.me opencryptoki-3.24.0/Makefile.am ---- opencryptoki-3.24.0/Makefile.am.me 2024-09-12 12:53:05.023882913 +0200 -+++ opencryptoki-3.24.0/Makefile.am 2024-09-12 12:55:34.366644836 +0200 +diff -up opencryptoki-3.25.0/Makefile.am.me opencryptoki-3.25.0/Makefile.am +--- opencryptoki-3.25.0/Makefile.am.me 2025-06-10 08:52:39.000000000 +0200 ++++ opencryptoki-3.25.0/Makefile.am 2025-06-10 15:32:06.974976310 +0200 @@ -51,20 +51,8 @@ include tools/tools.mk include doc/doc.mk @@ -22,21 +22,26 @@ diff -up opencryptoki-3.24.0/Makefile.am.me opencryptoki-3.24.0/Makefile.am if ENABLE_LIBRARY $(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll $(MKDIR_P) $(DESTDIR)$(libdir)/pkcs11 -@@ -117,7 +105,7 @@ if ENABLE_EP11TOK +@@ -117,11 +105,11 @@ if ENABLE_EP11TOK endif if ENABLE_P11SAK test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true - test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true + test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true + endif + if ENABLE_P11KMIP + test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true endif if ENABLE_ICATOK cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ -@@ -168,7 +156,7 @@ endif +@@ -172,7 +160,7 @@ endif if ENABLE_DAEMON test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true - test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true -+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true endif if !AIX $(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d diff --git a/opencryptoki.spec b/opencryptoki.spec index 4c7fcc1..aa1ecaa 100644 --- a/opencryptoki.spec +++ b/opencryptoki.spec @@ -1,7 +1,7 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 -Version: 3.24.0 -Release: 5%{?dist} +Version: 3.25.0 +Release: 1%{?dist} License: CPL-1.0 URL: https://github.com/opencryptoki/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz @@ -9,19 +9,21 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v Source1: opencryptoki.sysusers.conf # fix install problem in buildroot -Patch1: opencryptoki-3.24.0-p11sak.patch +Patch1: opencryptoki-3.25.0-p11sak.patch # tmpfiles.d config files for image mode Patch2: opencryptoki-3.24.0-tmpfiles-image-mode.patch # upstream patches -Patch100: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch -Patch101: opencryptoki-3.24.0-resource-leaks.patch Requires(pre): coreutils Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted) BuildRequires: gcc gcc-c++ BuildRequires: openssl-devel >= 1.1.1 +# testcases require 'openssl' command line tool +BuildRequires: openssl >= 1.1.1 +# testcases require 'jq' command line tool +BuildRequires: jq %if 0%{?tmptok} BuildRequires: trousers-devel %endif @@ -48,10 +50,10 @@ Requires(postun): systemd %description -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package contains the Slot Daemon (pkcsslotd) and general utilities. @@ -61,10 +63,10 @@ Summary: The run-time libraries for opencryptoki package Requires(pre): shadow-utils %description libs -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package contains the PKCS#11 library implementation, and requires at least one token implementation (packaged separately) to be fully @@ -87,10 +89,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description swtok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the software token implementation to use opencryptoki without any specific cryptographic hardware. @@ -103,10 +105,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description tpmtok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the necessary libraries and files to support Trusted Platform Module (TPM) devices in the opencryptoki stack. @@ -119,10 +121,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description icsftok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the necessary libraries and files to support ICSF token in the opencryptoki stack. @@ -135,14 +137,14 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description icatok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the necessary libraries and files to support ICA devices in the opencryptoki stack. ICA is an interface to IBM -cryptographic hardware such as IBM 4764 or 4765 that uses the +cryptographic hardware such as IBM 4767, 4768, 4769 and 4770 that uses the "accelerator" or "clear-key" path. %package ccatok @@ -152,14 +154,14 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description ccatok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the necessary libraries and files to support CCA devices in the opencryptoki stack. CCA is an interface to IBM -cryptographic hardware such as IBM 4764 or 4765 that uses the +cryptographic hardware such as IBM 4767, 4768, 4769 and 4770 that uses the "co-processor" or "secure-key" path. %package ep11tok @@ -169,10 +171,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description ep11tok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the necessary libraries and files to support EP11 tokens in the opencryptoki stack. The EP11 token is a token that uses @@ -231,6 +233,12 @@ install -p -D -m 0644 %{name}-tpmtok.conf %{buildroot}%{_tmpfilesdir}/ install -p -D -m 0644 %{name}-swtok.conf %{buildroot}%{_tmpfilesdir}/ install -p -D -m 0644 %{name}-icsftok.conf %{buildroot}%{_tmpfilesdir}/ +# convert absolute links to relative links. +rm -f %{buildroot}%{_libdir}/%{name}/methods && ln -fs ../../bin %{buildroot}%{_libdir}/%{name}/methods +rm -f %{buildroot}%{_libdir}/pkcs11/methods && ln -fs ../../bin %{buildroot}%{_libdir}/pkcs11/methods + +%check +make check %pre # don't touch opencryptoki.conf even if it is unchanged due to new tokversion @@ -272,11 +280,13 @@ fi %doc %{_docdir}/%{name}/*.conf %dir %{_sysconfdir}/%{name} %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf -%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf -%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/strength.conf +%verify(not md5 size mtime) %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf +%verify(not md5 size mtime) %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/strength.conf +%verify(not md5 size mtime) %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11kmip.conf %{_tmpfilesdir}/%{name}.conf %{_unitdir}/pkcsslotd.service %{_sbindir}/p11sak +%{_sbindir}/p11kmip %{_sbindir}/pkcstok_migrate %{_sbindir}/pkcsconf %{_sbindir}/pkcsslotd @@ -286,11 +296,13 @@ fi %{_mandir}/man1/p11sak.1* %{_mandir}/man1/pkcstok_migrate.1* %{_mandir}/man1/pkcsconf.1* +%{_mandir}/man1/p11kmip.1* %{_mandir}/man1/pkcsstats.1* %{_mandir}/man1/pkcshsm_mk_change.1* %{_mandir}/man1/pkcstok_admin.1* %{_mandir}/man5/policy.conf.5* %{_mandir}/man5/strength.conf.5* +%{_mandir}/man5/p11kmip.conf.5* %{_mandir}/man5/%{name}.conf.5* %{_mandir}/man5/p11sak_defined_attrs.conf.5* %{_mandir}/man7/%{name}.7* @@ -389,6 +401,16 @@ fi %changelog +* Fri Jul 04 2025 Than Ngo - 3.25.0-1 +- Resolves: RHEL-73344, upgrade openCryptoki +- Resolves: RHEL-90590, basic support of AES-GCM +- Resolves: RHEL-72965, cca token support cipher keys +- Resolves: RHEL-72969, support for CKM_RSA_AES_KEY_WRAP for cca, ica and soft tokens +- Resolves: RHEL-75141, add a tool to import/export PKCS #11 keys from to a KMIP server +- Resolves: RHEL-75762, ep11 token: import and export of secure key objects +- Resolves: RHEL-85375, cca token: Support ECDH to derive AES keys +- Resolves: RHEL-85377, ep11 token: PKCS #11 3.0 - support SHA3 + * Wed Apr 09 2025 Than Ngo - 3.24.0-5 - Related: RHEL-77147, opencryptoki doesn't work in image mode diff --git a/sources b/sources index 8c1e220..863e35e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (opencryptoki-3.24.0.tar.gz) = 5a01c44cfd6b1a7021fabf5d0dda8871a8f569377f689109819c992fe4259764023bd76373b08040f1d01264567fceaeff2c43f2852c37f3a48450fe61c96ce7 +SHA512 (opencryptoki-3.25.0.tar.gz) = 33ea9e8b39812af96ca858e9584d4d494a3c6e3761f1cb96d32a9f781a4d1bbcae161d8c593603f6cb9f6ec01f6ac3c3fb1629673e38e716712f8afe7589a1a0