rpms/opencryptoki
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-73344, upgrade openCryptoki

Browse Source 
Resolves: RHEL-90590, basic support of AES-GCM
Resolves: RHEL-72965, cca token support cipher keys
Resolves: RHEL-72969, support for CKM_RSA_AES_KEY_WRAP for cca, ica and soft tokens
Resolves: RHEL-75141, add a tool to import/export PKCS #11 keys from to a KMIP server
Resolves: RHEL-75762, ep11 token: import and export of secure key objects
Resolves: RHEL-85375, cca token: Support ECDH to derive AES keys
Resolves: RHEL-85377, ep11 token: PKCS #11 3.0 - support SHA3
This commit is contained in:
Than Ngo 2025-07-04 15:22:24 +02:00
parent 50dff60271
commit 40e87ccf61
6 changed files with 76 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -35,3 +35,4 @@ opencryptoki-2.3.1.tar.gz
/opencryptoki-3.22.0.tar.gz /opencryptoki-3.22.0.tar.gz
/opencryptoki-3.23.0.tar.gz /opencryptoki-3.23.0.tar.gz
/opencryptoki-3.24.0.tar.gz /opencryptoki-3.24.0.tar.gz
/opencryptoki-3.25.0.tar.gz

66
opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch
View File

@ -1,66 +0,0 @@
commit e58d2086cf9268a1dd2431c64c6bcdd74c2c3233
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Sep 16 09:16:03 2024 +0200
COMMON: Fix compile error due to incompatible pointer types
usr/lib/common/mech_openssl.c:4751:36: error: passing argument 2 of
'get_sha_size' from incompatible pointer type [-Wincompatible-pointer-types]
4751 | rc = get_sha_size(digest_mech, &mac_len);
usr/lib/common/mech_openssl.c:4851:36: error: passing argument 2 of
'get_sha_size' from incompatible pointer type [-Wincompatible-pointer-types]
4851 | rc = get_sha_size(digest_mech, &mac_len);
Closes: https://github.com/opencryptoki/opencryptoki/issues/809
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/mech_openssl.c b/usr/lib/common/mech_openssl.c
index 296b5e0a..500b6f91 100644
--- a/usr/lib/common/mech_openssl.c
+++ b/usr/lib/common/mech_openssl.c
@@ -4731,6 +4731,7 @@ CK_RV openssl_specific_hmac(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data,
CK_RV rv = CKR_OK;
CK_BBOOL general = FALSE;
CK_MECHANISM_TYPE digest_mech;
+ CK_ULONG mac_len2;
if (!ctx || !ctx->context) {
TRACE_ERROR("%s received bad argument(s)\n", __func__);
@@ -4748,11 +4749,12 @@ CK_RV openssl_specific_hmac(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data,
return rc;
}
- rc = get_sha_size(digest_mech, &mac_len);
+ rc = get_sha_size(digest_mech, &mac_len2);
if (rc != CKR_OK) {
TRACE_ERROR("%s get_sha_size failed\n", __func__);
return rc;
}
+ mac_len = mac_len2;
mdctx = (EVP_MD_CTX *) ctx->context;
@@ -4833,6 +4835,7 @@ CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature,
CK_RV rv = CKR_OK;
CK_BBOOL general = FALSE;
CK_MECHANISM_TYPE digest_mech;
+ CK_ULONG mac_len2;
if (!ctx || !ctx->context)
return CKR_OPERATION_NOT_INITIALIZED;
@@ -4848,11 +4851,12 @@ CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature,
return rc;
}
- rc = get_sha_size(digest_mech, &mac_len);
+ rc = get_sha_size(digest_mech, &mac_len2);
if (rc != CKR_OK) {
TRACE_ERROR("%s get_sha_size failed\n", __func__);
return rc;
}
+ mac_len = mac_len2;
if (signature == NULL) {
if (sign) {

75
opencryptoki-3.24.0-resource-leaks.patch
View File

@ -1,75 +0,0 @@
commit 66a18ffa057565b6bf292e50969ea27ce33b394c
Author: Than Ngo <than@redhat.com>
Date: Tue Oct 29 13:41:23 2024 +0100
Fix resource leak
1. Defect type: RESOURCE_LEAK
4. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:740:5: alloc_fn: Storage is returned from allocation function "malloc".
5. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:740:5: var_assign: Assigning: "new_key->opaque_attr" = storage returned from "malloc(attrs[0].ulValueLen)".
7. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:748:5: noescape: Resource "new_key->opaque_attr" is not freed or pointed-to in "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
9. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:752:9: leaked_storage: Freeing "new_key" without freeing its pointer field "opaque_attr" leaks the storage that "opaque_attr" points to.
750| if (!new_key->label) {
751| print_error("Malloc of %lu bytes failed!", attrs[2].ulValueLen + 1);
752|-> free(new_key);
753| return 2;
754| }
2. Defect type: RESOURCE_LEAK
15. opencryptoki-3.24.0/usr/lib/common/mech_ec.c:1140:5: alloc_arg: "object_mgr_create_skel" allocates memory that is stored into "temp_obj".
21. opencryptoki-3.24.0/usr/lib/common/mech_ec.c:1182:5: leaked_storage: Variable "temp_obj" going out of scope leaks the storage it points to.
1180| free(derived_key);
1181|
1182|-> return rc;
1183| }
1184|
Signed-off-by: Than Ngo <than@redhat.com>
diff --git a/usr/lib/common/mech_dh.c b/usr/lib/common/mech_dh.c
index b59ed852..79ac5b4d 100644
--- a/usr/lib/common/mech_dh.c
+++ b/usr/lib/common/mech_dh.c
@@ -124,6 +124,8 @@ CK_RV dh_pkcs_derive(STDLL_TokData_t *tokdata,
if (rc != CKR_OK) {
TRACE_ERROR("template_update_attribute failed\n");
free(new_attr);
+ object_free(temp_obj);
+ temp_obj = NULL;
return rc;
}
diff --git a/usr/lib/common/mech_ec.c b/usr/lib/common/mech_ec.c
index be8f5218..b062dbfb 100644
--- a/usr/lib/common/mech_ec.c
+++ b/usr/lib/common/mech_ec.c
@@ -1152,6 +1152,8 @@ CK_RV ecdh_pkcs_derive(STDLL_TokData_t *tokdata, SESSION *sess,
TRACE_ERROR("template_update_attribute failed\n");
free(value_attr);
free(vallen_attr);
+ object_free(temp_obj);
+ temp_obj = NULL;
goto end;
}
@@ -1160,6 +1162,8 @@ CK_RV ecdh_pkcs_derive(STDLL_TokData_t *tokdata, SESSION *sess,
if (rc != CKR_OK) {
TRACE_ERROR("template_update_attribute failed\n");
free(vallen_attr);
+ object_free(temp_obj);
+ temp_obj = NULL;
goto end;
}
}
diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c
index ffbe3311..a3756c14 100644
--- a/usr/sbin/pkcscca/pkcscca.c
+++ b/usr/sbin/pkcscca/pkcscca.c
@@ -749,6 +749,7 @@ int add_key(CK_OBJECT_HANDLE handle, CK_ATTRIBUTE *attrs, struct key **keys)
new_key->label = malloc(attrs[2].ulValueLen + 1);
if (!new_key->label) {
print_error("Malloc of %lu bytes failed!", attrs[2].ulValueLen + 1);
+ free(new_key->opaque_attr);
free(new_key);
return 2;
}

17
opencryptoki-3.24.0-p11sak.patch → opencryptoki-3.25.0-p11sak.patch
View File

@ -1,6 +1,6 @@
diff -up opencryptoki-3.24.0/Makefile.am.me opencryptoki-3.24.0/Makefile.am diff -up opencryptoki-3.25.0/Makefile.am.me opencryptoki-3.25.0/Makefile.am
--- opencryptoki-3.24.0/Makefile.am.me 2024-09-12 12:53:05.023882913 +0200 --- opencryptoki-3.25.0/Makefile.am.me 2025-06-10 08:52:39.000000000 +0200
+++ opencryptoki-3.24.0/Makefile.am 2024-09-12 12:55:34.366644836 +0200 +++ opencryptoki-3.25.0/Makefile.am 2025-06-10 15:32:06.974976310 +0200
@@ -51,20 +51,8 @@ include tools/tools.mk @@ -51,20 +51,8 @@ include tools/tools.mk
include doc/doc.mk include doc/doc.mk
@ -22,21 +22,26 @@ diff -up opencryptoki-3.24.0/Makefile.am.me opencryptoki-3.24.0/Makefile.am
if ENABLE_LIBRARY if ENABLE_LIBRARY
$(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll $(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll
$(MKDIR_P) $(DESTDIR)$(libdir)/pkcs11 $(MKDIR_P) $(DESTDIR)$(libdir)/pkcs11
@@ -117,7 +105,7 @@ if ENABLE_EP11TOK @@ -117,11 +105,11 @@ if ENABLE_EP11TOK
endif endif
if ENABLE_P11SAK if ENABLE_P11SAK
test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true - test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true + test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
endif
if ENABLE_P11KMIP
test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true
endif endif
if ENABLE_ICATOK if ENABLE_ICATOK
cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
@@ -168,7 +156,7 @@ endif @@ -172,7 +160,7 @@ endif
if ENABLE_DAEMON if ENABLE_DAEMON
test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true - test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true + test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
endif endif
if !AIX if !AIX
$(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d $(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d

104
opencryptoki.spec
View File

@ -1,7 +1,7 @@
Name: opencryptoki Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
Version: 3.24.0 Version: 3.25.0
Release: 5%{?dist} Release: 1%{?dist}
License: CPL-1.0 License: CPL-1.0
URL: https://github.com/opencryptoki/opencryptoki URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -9,19 +9,21 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v
Source1: opencryptoki.sysusers.conf Source1: opencryptoki.sysusers.conf
# fix install problem in buildroot # fix install problem in buildroot
Patch1: opencryptoki-3.24.0-p11sak.patch Patch1: opencryptoki-3.25.0-p11sak.patch
# tmpfiles.d config files for image mode # tmpfiles.d config files for image mode
Patch2: opencryptoki-3.24.0-tmpfiles-image-mode.patch Patch2: opencryptoki-3.24.0-tmpfiles-image-mode.patch
# upstream patches # upstream patches
Patch100: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch
Patch101: opencryptoki-3.24.0-resource-leaks.patch
Requires(pre): coreutils Requires(pre): coreutils
Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted) Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted)
BuildRequires: gcc gcc-c++ BuildRequires: gcc gcc-c++
BuildRequires: openssl-devel >= 1.1.1 BuildRequires: openssl-devel >= 1.1.1
# testcases require 'openssl' command line tool
BuildRequires: openssl >= 1.1.1
# testcases require 'jq' command line tool
BuildRequires: jq
%if 0%{?tmptok} %if 0%{?tmptok}
BuildRequires: trousers-devel BuildRequires: trousers-devel
%endif %endif
@ -48,10 +50,10 @@ Requires(postun): systemd
%description %description
Opencryptoki implements the PKCS#11 specification v2.20 for a set of Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
token implementation that can be used without any cryptographic brings a software token implementation that can be used without any cryptographic
hardware. hardware.
This package contains the Slot Daemon (pkcsslotd) and general utilities. This package contains the Slot Daemon (pkcsslotd) and general utilities.
@ -61,10 +63,10 @@ Summary: The run-time libraries for opencryptoki package
Requires(pre): shadow-utils Requires(pre): shadow-utils
%description libs %description libs
Opencryptoki implements the PKCS#11 specification v2.20 for a set of Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
token implementation that can be used without any cryptographic brings a software token implementation that can be used without any cryptographic
hardware. hardware.
This package contains the PKCS#11 library implementation, and requires This package contains the PKCS#11 library implementation, and requires
at least one token implementation (packaged separately) to be fully at least one token implementation (packaged separately) to be fully
@ -87,10 +89,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token) Provides: %{name}(token)
%description swtok %description swtok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
token implementation that can be used without any cryptographic brings a software token implementation that can be used without any cryptographic
hardware. hardware.
This package brings the software token implementation to use opencryptoki This package brings the software token implementation to use opencryptoki
without any specific cryptographic hardware. without any specific cryptographic hardware.
@ -103,10 +105,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token) Provides: %{name}(token)
%description tpmtok %description tpmtok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
token implementation that can be used without any cryptographic brings a software token implementation that can be used without any cryptographic
hardware. hardware.
This package brings the necessary libraries and files to support This package brings the necessary libraries and files to support
Trusted Platform Module (TPM) devices in the opencryptoki stack. Trusted Platform Module (TPM) devices in the opencryptoki stack.
@ -119,10 +121,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token) Provides: %{name}(token)
%description icsftok %description icsftok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
token implementation that can be used without any cryptographic brings a software token implementation that can be used without any cryptographic
hardware. hardware.
This package brings the necessary libraries and files to support This package brings the necessary libraries and files to support
ICSF token in the opencryptoki stack. ICSF token in the opencryptoki stack.
@ -135,14 +137,14 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token) Provides: %{name}(token)
%description icatok %description icatok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
token implementation that can be used without any cryptographic brings a software token implementation that can be used without any cryptographic
hardware. hardware.
This package brings the necessary libraries and files to support ICA This package brings the necessary libraries and files to support ICA
devices in the opencryptoki stack. ICA is an interface to IBM devices in the opencryptoki stack. ICA is an interface to IBM
cryptographic hardware such as IBM 4764 or 4765 that uses the cryptographic hardware such as IBM 4767, 4768, 4769 and 4770 that uses the
"accelerator" or "clear-key" path. "accelerator" or "clear-key" path.
%package ccatok %package ccatok
@ -152,14 +154,14 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token) Provides: %{name}(token)
%description ccatok %description ccatok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
token implementation that can be used without any cryptographic brings a software token implementation that can be used without any cryptographic
hardware. hardware.
This package brings the necessary libraries and files to support CCA This package brings the necessary libraries and files to support CCA
devices in the opencryptoki stack. CCA is an interface to IBM devices in the opencryptoki stack. CCA is an interface to IBM
cryptographic hardware such as IBM 4764 or 4765 that uses the cryptographic hardware such as IBM 4767, 4768, 4769 and 4770 that uses the
"co-processor" or "secure-key" path. "co-processor" or "secure-key" path.
%package ep11tok %package ep11tok
@ -169,10 +171,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token) Provides: %{name}(token)
%description ep11tok %description ep11tok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
token implementation that can be used without any cryptographic brings a software token implementation that can be used without any cryptographic
hardware. hardware.
This package brings the necessary libraries and files to support EP11 This package brings the necessary libraries and files to support EP11
tokens in the opencryptoki stack. The EP11 token is a token that uses tokens in the opencryptoki stack. The EP11 token is a token that uses
@ -231,6 +233,12 @@ install -p -D -m 0644 %{name}-tpmtok.conf %{buildroot}%{_tmpfilesdir}/
install -p -D -m 0644 %{name}-swtok.conf %{buildroot}%{_tmpfilesdir}/ install -p -D -m 0644 %{name}-swtok.conf %{buildroot}%{_tmpfilesdir}/
install -p -D -m 0644 %{name}-icsftok.conf %{buildroot}%{_tmpfilesdir}/ install -p -D -m 0644 %{name}-icsftok.conf %{buildroot}%{_tmpfilesdir}/
# convert absolute links to relative links.
rm -f %{buildroot}%{_libdir}/%{name}/methods && ln -fs ../../bin %{buildroot}%{_libdir}/%{name}/methods
rm -f %{buildroot}%{_libdir}/pkcs11/methods && ln -fs ../../bin %{buildroot}%{_libdir}/pkcs11/methods
%check
make check
%pre %pre
# don't touch opencryptoki.conf even if it is unchanged due to new tokversion # don't touch opencryptoki.conf even if it is unchanged due to new tokversion
@ -272,11 +280,13 @@ fi
%doc %{_docdir}/%{name}/*.conf %doc %{_docdir}/%{name}/*.conf
%dir %{_sysconfdir}/%{name} %dir %{_sysconfdir}/%{name}
%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf %verify(not md5 size mtime) %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf
%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/strength.conf %verify(not md5 size mtime) %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/strength.conf
%verify(not md5 size mtime) %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11kmip.conf
%{_tmpfilesdir}/%{name}.conf %{_tmpfilesdir}/%{name}.conf
%{_unitdir}/pkcsslotd.service %{_unitdir}/pkcsslotd.service
%{_sbindir}/p11sak %{_sbindir}/p11sak
%{_sbindir}/p11kmip
%{_sbindir}/pkcstok_migrate %{_sbindir}/pkcstok_migrate
%{_sbindir}/pkcsconf %{_sbindir}/pkcsconf
%{_sbindir}/pkcsslotd %{_sbindir}/pkcsslotd
@ -286,11 +296,13 @@ fi
%{_mandir}/man1/p11sak.1* %{_mandir}/man1/p11sak.1*
%{_mandir}/man1/pkcstok_migrate.1* %{_mandir}/man1/pkcstok_migrate.1*
%{_mandir}/man1/pkcsconf.1* %{_mandir}/man1/pkcsconf.1*
%{_mandir}/man1/p11kmip.1*
%{_mandir}/man1/pkcsstats.1* %{_mandir}/man1/pkcsstats.1*
%{_mandir}/man1/pkcshsm_mk_change.1* %{_mandir}/man1/pkcshsm_mk_change.1*
%{_mandir}/man1/pkcstok_admin.1* %{_mandir}/man1/pkcstok_admin.1*
%{_mandir}/man5/policy.conf.5* %{_mandir}/man5/policy.conf.5*
%{_mandir}/man5/strength.conf.5* %{_mandir}/man5/strength.conf.5*
%{_mandir}/man5/p11kmip.conf.5*
%{_mandir}/man5/%{name}.conf.5* %{_mandir}/man5/%{name}.conf.5*
%{_mandir}/man5/p11sak_defined_attrs.conf.5* %{_mandir}/man5/p11sak_defined_attrs.conf.5*
%{_mandir}/man7/%{name}.7* %{_mandir}/man7/%{name}.7*
@ -389,6 +401,16 @@ fi
%changelog %changelog
* Fri Jul 04 2025 Than Ngo <than@redhat.com> - 3.25.0-1
- Resolves: RHEL-73344, upgrade openCryptoki
- Resolves: RHEL-90590, basic support of AES-GCM
- Resolves: RHEL-72965, cca token support cipher keys
- Resolves: RHEL-72969, support for CKM_RSA_AES_KEY_WRAP for cca, ica and soft tokens
- Resolves: RHEL-75141, add a tool to import/export PKCS #11 keys from to a KMIP server
- Resolves: RHEL-75762, ep11 token: import and export of secure key objects
- Resolves: RHEL-85375, cca token: Support ECDH to derive AES keys
- Resolves: RHEL-85377, ep11 token: PKCS #11 3.0 - support SHA3
* Wed Apr 09 2025 Than Ngo <than@redhat.com> - 3.24.0-5 * Wed Apr 09 2025 Than Ngo <than@redhat.com> - 3.24.0-5
- Related: RHEL-77147, opencryptoki doesn't work in image mode - Related: RHEL-77147, opencryptoki doesn't work in image mode

2
sources
View File

@ -1 +1 @@
SHA512 (opencryptoki-3.24.0.tar.gz) = 5a01c44cfd6b1a7021fabf5d0dda8871a8f569377f689109819c992fe4259764023bd76373b08040f1d01264567fceaeff2c43f2852c37f3a48450fe61c96ce7 SHA512 (opencryptoki-3.25.0.tar.gz) = 33ea9e8b39812af96ca858e9584d4d494a3c6e3761f1cb96d32a9f781a4d1bbcae161d8c593603f6cb9f6ec01f6ac3c3fb1629673e38e716712f8afe7589a1a0