From 9ab1d9be54138d10d2d28169672b58a9f60ae841 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Thu, 3 Jul 2025 17:47:47 +0200 Subject: [PATCH] - Resolves: RHEL-85376, ep11 token: PKCS #11 3.0 - support SHA3 - Resolves: RHEL-90589, CCA token: basic support of AES-GCM - Resolves: RHEL-72964, cca token support cipher keys - Resolves: RHEL-72968, Support for CKM_RSA_AES_KEY_WRAP for cca, ica and soft tokens - Resolves: RHEL-73343, Upgrade openCryptoki to latest version - Resolves: RHEL-75144, p11kmip: a tool to import/export PKCS #11 keys from to a KMIP server - Resolves: RHEL-75761, ep11 token: import and export of secure key objects - Resolves: RHEL-85374, cca token: Support ECDH to derive AES keys --- .gitignore | 1 + ...or-due-to-incompatible-pointer-types.patch | 66 ----------- opencryptoki-3.24.0-resource-leaks.patch | 75 ------------- ....patch => opencryptoki-3.25.0-p11sak.patch | 15 ++- opencryptoki.spec | 106 +++++++++++------- sources | 2 +- 6 files changed, 76 insertions(+), 189 deletions(-) delete mode 100644 opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch delete mode 100644 opencryptoki-3.24.0-resource-leaks.patch rename opencryptoki-3.24.0-p11sak.patch => opencryptoki-3.25.0-p11sak.patch (76%) diff --git a/.gitignore b/.gitignore index d027b6d..b294784 100644 --- a/.gitignore +++ b/.gitignore @@ -35,3 +35,4 @@ opencryptoki-2.3.1.tar.gz /opencryptoki-3.21.0.tar.gz /opencryptoki-3.22.0.tar.gz /opencryptoki-3.23.0.tar.gz +/opencryptoki-3.25.0.tar.gz diff --git a/opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch b/opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch deleted file mode 100644 index a0b77dd..0000000 --- a/opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch +++ /dev/null @@ -1,66 +0,0 @@ -commit e58d2086cf9268a1dd2431c64c6bcdd74c2c3233 -Author: Ingo Franzki -Date: Mon Sep 16 09:16:03 2024 +0200 - - COMMON: Fix compile error due to incompatible pointer types - - usr/lib/common/mech_openssl.c:4751:36: error: passing argument 2 of - 'get_sha_size' from incompatible pointer type [-Wincompatible-pointer-types] - 4751 | rc = get_sha_size(digest_mech, &mac_len); - - usr/lib/common/mech_openssl.c:4851:36: error: passing argument 2 of - 'get_sha_size' from incompatible pointer type [-Wincompatible-pointer-types] - 4851 | rc = get_sha_size(digest_mech, &mac_len); - - Closes: https://github.com/opencryptoki/opencryptoki/issues/809 - - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/common/mech_openssl.c b/usr/lib/common/mech_openssl.c -index 296b5e0a..500b6f91 100644 ---- a/usr/lib/common/mech_openssl.c -+++ b/usr/lib/common/mech_openssl.c -@@ -4731,6 +4731,7 @@ CK_RV openssl_specific_hmac(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data, - CK_RV rv = CKR_OK; - CK_BBOOL general = FALSE; - CK_MECHANISM_TYPE digest_mech; -+ CK_ULONG mac_len2; - - if (!ctx || !ctx->context) { - TRACE_ERROR("%s received bad argument(s)\n", __func__); -@@ -4748,11 +4749,12 @@ CK_RV openssl_specific_hmac(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data, - return rc; - } - -- rc = get_sha_size(digest_mech, &mac_len); -+ rc = get_sha_size(digest_mech, &mac_len2); - if (rc != CKR_OK) { - TRACE_ERROR("%s get_sha_size failed\n", __func__); - return rc; - } -+ mac_len = mac_len2; - - mdctx = (EVP_MD_CTX *) ctx->context; - -@@ -4833,6 +4835,7 @@ CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature, - CK_RV rv = CKR_OK; - CK_BBOOL general = FALSE; - CK_MECHANISM_TYPE digest_mech; -+ CK_ULONG mac_len2; - - if (!ctx || !ctx->context) - return CKR_OPERATION_NOT_INITIALIZED; -@@ -4848,11 +4851,12 @@ CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature, - return rc; - } - -- rc = get_sha_size(digest_mech, &mac_len); -+ rc = get_sha_size(digest_mech, &mac_len2); - if (rc != CKR_OK) { - TRACE_ERROR("%s get_sha_size failed\n", __func__); - return rc; - } -+ mac_len = mac_len2; - - if (signature == NULL) { - if (sign) { diff --git a/opencryptoki-3.24.0-resource-leaks.patch b/opencryptoki-3.24.0-resource-leaks.patch deleted file mode 100644 index f0c2598..0000000 --- a/opencryptoki-3.24.0-resource-leaks.patch +++ /dev/null @@ -1,75 +0,0 @@ -commit 66a18ffa057565b6bf292e50969ea27ce33b394c -Author: Than Ngo -Date: Tue Oct 29 13:41:23 2024 +0100 - - Fix resource leak - - 1. Defect type: RESOURCE_LEAK - 4. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:740:5: alloc_fn: Storage is returned from allocation function "malloc". - 5. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:740:5: var_assign: Assigning: "new_key->opaque_attr" = storage returned from "malloc(attrs[0].ulValueLen)". - 7. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:748:5: noescape: Resource "new_key->opaque_attr" is not freed or pointed-to in "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.] - 9. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:752:9: leaked_storage: Freeing "new_key" without freeing its pointer field "opaque_attr" leaks the storage that "opaque_attr" points to. - 750| if (!new_key->label) { - 751| print_error("Malloc of %lu bytes failed!", attrs[2].ulValueLen + 1); - 752|-> free(new_key); - 753| return 2; - 754| } - - 2. Defect type: RESOURCE_LEAK - 15. opencryptoki-3.24.0/usr/lib/common/mech_ec.c:1140:5: alloc_arg: "object_mgr_create_skel" allocates memory that is stored into "temp_obj". - 21. opencryptoki-3.24.0/usr/lib/common/mech_ec.c:1182:5: leaked_storage: Variable "temp_obj" going out of scope leaks the storage it points to. - 1180| free(derived_key); - 1181| - 1182|-> return rc; - 1183| } - 1184| - - Signed-off-by: Than Ngo - -diff --git a/usr/lib/common/mech_dh.c b/usr/lib/common/mech_dh.c -index b59ed852..79ac5b4d 100644 ---- a/usr/lib/common/mech_dh.c -+++ b/usr/lib/common/mech_dh.c -@@ -124,6 +124,8 @@ CK_RV dh_pkcs_derive(STDLL_TokData_t *tokdata, - if (rc != CKR_OK) { - TRACE_ERROR("template_update_attribute failed\n"); - free(new_attr); -+ object_free(temp_obj); -+ temp_obj = NULL; - return rc; - } - -diff --git a/usr/lib/common/mech_ec.c b/usr/lib/common/mech_ec.c -index be8f5218..b062dbfb 100644 ---- a/usr/lib/common/mech_ec.c -+++ b/usr/lib/common/mech_ec.c -@@ -1152,6 +1152,8 @@ CK_RV ecdh_pkcs_derive(STDLL_TokData_t *tokdata, SESSION *sess, - TRACE_ERROR("template_update_attribute failed\n"); - free(value_attr); - free(vallen_attr); -+ object_free(temp_obj); -+ temp_obj = NULL; - goto end; - } - -@@ -1160,6 +1162,8 @@ CK_RV ecdh_pkcs_derive(STDLL_TokData_t *tokdata, SESSION *sess, - if (rc != CKR_OK) { - TRACE_ERROR("template_update_attribute failed\n"); - free(vallen_attr); -+ object_free(temp_obj); -+ temp_obj = NULL; - goto end; - } - } -diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c -index ffbe3311..a3756c14 100644 ---- a/usr/sbin/pkcscca/pkcscca.c -+++ b/usr/sbin/pkcscca/pkcscca.c -@@ -749,6 +749,7 @@ int add_key(CK_OBJECT_HANDLE handle, CK_ATTRIBUTE *attrs, struct key **keys) - new_key->label = malloc(attrs[2].ulValueLen + 1); - if (!new_key->label) { - print_error("Malloc of %lu bytes failed!", attrs[2].ulValueLen + 1); -+ free(new_key->opaque_attr); - free(new_key); - return 2; - } diff --git a/opencryptoki-3.24.0-p11sak.patch b/opencryptoki-3.25.0-p11sak.patch similarity index 76% rename from opencryptoki-3.24.0-p11sak.patch rename to opencryptoki-3.25.0-p11sak.patch index a730c0b..b079eac 100644 --- a/opencryptoki-3.24.0-p11sak.patch +++ b/opencryptoki-3.25.0-p11sak.patch @@ -1,6 +1,6 @@ -diff -up opencryptoki-3.24.0/Makefile.am.me opencryptoki-3.24.0/Makefile.am ---- opencryptoki-3.24.0/Makefile.am.me 2024-09-12 12:53:05.023882913 +0200 -+++ opencryptoki-3.24.0/Makefile.am 2024-09-12 12:55:34.366644836 +0200 +diff -up opencryptoki-3.25.0/Makefile.am.me opencryptoki-3.25.0/Makefile.am +--- opencryptoki-3.25.0/Makefile.am.me 2025-06-10 08:52:39.000000000 +0200 ++++ opencryptoki-3.25.0/Makefile.am 2025-06-10 15:32:06.974976310 +0200 @@ -51,20 +51,8 @@ include tools/tools.mk include doc/doc.mk @@ -22,16 +22,21 @@ diff -up opencryptoki-3.24.0/Makefile.am.me opencryptoki-3.24.0/Makefile.am if ENABLE_LIBRARY $(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll $(MKDIR_P) $(DESTDIR)$(libdir)/pkcs11 -@@ -117,7 +105,7 @@ if ENABLE_EP11TOK +@@ -117,11 +105,11 @@ if ENABLE_EP11TOK endif if ENABLE_P11SAK test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true - test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true + test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true + endif + if ENABLE_P11KMIP + test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true endif if ENABLE_ICATOK cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ -@@ -168,7 +156,7 @@ endif +@@ -172,7 +160,7 @@ endif if ENABLE_DAEMON test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true diff --git a/opencryptoki.spec b/opencryptoki.spec index d32b386..5996463 100644 --- a/opencryptoki.spec +++ b/opencryptoki.spec @@ -1,7 +1,7 @@ Name: opencryptoki -Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 -Version: 3.24.0 -Release: 8%{?dist} +Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 and partially v3.1 +Version: 3.25.0 +Release: 1%{?dist} License: CPL-1.0 URL: https://github.com/opencryptoki/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz @@ -11,19 +11,21 @@ Source1: opencryptoki.module Source2: opencryptoki.sysusers.conf # fix install problem in buildroot -Patch1: opencryptoki-3.24.0-p11sak.patch +Patch1: opencryptoki-3.25.0-p11sak.patch # tmpfiles.d config files for image mode Patch2: opencryptoki-3.24.0-tmpfiles-image-mode.patch # upstream patches -Patch100: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch -Patch101: opencryptoki-3.24.0-resource-leaks.patch Requires(pre): coreutils Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted) BuildRequires: gcc gcc-c++ BuildRequires: openssl-devel >= 1.1.1 +# testcases require 'openssl' command line tool +BuildRequires: openssl >= 1.1.1 +# testcases require 'jq' command line tool +BuildRequires: jq %if 0%{?tmptok} BuildRequires: trousers-devel %endif @@ -50,10 +52,10 @@ Requires(postun): systemd %description -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package contains the Slot Daemon (pkcsslotd) and general utilities. @@ -63,10 +65,10 @@ Summary: The run-time libraries for opencryptoki package Requires(pre): shadow-utils %description libs -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package contains the PKCS#11 library implementation, and requires at least one token implementation (packaged separately) to be fully @@ -89,10 +91,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description swtok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the software token implementation to use opencryptoki without any specific cryptographic hardware. @@ -105,10 +107,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description tpmtok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the necessary libraries and files to support Trusted Platform Module (TPM) devices in the opencryptoki stack. @@ -121,10 +123,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description icsftok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the necessary libraries and files to support ICSF token in the opencryptoki stack. @@ -137,14 +139,14 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description icatok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the necessary libraries and files to support ICA devices in the opencryptoki stack. ICA is an interface to IBM -cryptographic hardware such as IBM 4764 or 4765 that uses the +cryptographic hardware such as IBM 4767, 4768, 4769 and 4770 that uses the "accelerator" or "clear-key" path. %package ccatok @@ -154,14 +156,14 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description ccatok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the necessary libraries and files to support CCA devices in the opencryptoki stack. CCA is an interface to IBM -cryptographic hardware such as IBM 4764 or 4765 that uses the +cryptographic hardware such as IBM 4767, 4768, 4769 and 4770 that uses the "co-processor" or "secure-key" path. %package ep11tok @@ -171,10 +173,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description ep11tok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the necessary libraries and files to support EP11 tokens in the opencryptoki stack. The EP11 token is a token that uses @@ -233,6 +235,12 @@ install -p -D -m 0644 %{name}-tpmtok.conf %{buildroot}%{_tmpfilesdir}/ install -p -D -m 0644 %{name}-swtok.conf %{buildroot}%{_tmpfilesdir}/ install -p -D -m 0644 %{name}-icsftok.conf %{buildroot}%{_tmpfilesdir}/ +# convert absolute links to relative links. +rm -f %{buildroot}%{_libdir}/%{name}/methods && ln -fs ../../bin %{buildroot}%{_libdir}/%{name}/methods +rm -f %{buildroot}%{_libdir}/pkcs11/methods && ln -fs ../../bin %{buildroot}%{_libdir}/pkcs11/methods + +%check +make check %pre # don't touch opencryptoki.conf even if it is unchanged due to new tokversion @@ -274,11 +282,13 @@ fi %doc %{_docdir}/%{name}/*.conf %dir %{_sysconfdir}/%{name} %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf -%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf -%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/strength.conf +%verify(not md5 size mtime) %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf +%verify(not md5 size mtime) %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/strength.conf +%verify(not md5 size mtime) %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11kmip.conf %{_tmpfilesdir}/%{name}.conf %{_unitdir}/pkcsslotd.service %{_sbindir}/p11sak +%{_sbindir}/p11kmip %{_sbindir}/pkcstok_migrate %{_sbindir}/pkcsconf %{_sbindir}/pkcsslotd @@ -288,11 +298,13 @@ fi %{_mandir}/man1/p11sak.1* %{_mandir}/man1/pkcstok_migrate.1* %{_mandir}/man1/pkcsconf.1* +%{_mandir}/man1/p11kmip.1* %{_mandir}/man1/pkcsstats.1* %{_mandir}/man1/pkcshsm_mk_change.1* %{_mandir}/man1/pkcstok_admin.1* %{_mandir}/man5/policy.conf.5* %{_mandir}/man5/strength.conf.5* +%{_mandir}/man5/p11kmip.conf.5* %{_mandir}/man5/%{name}.conf.5* %{_mandir}/man5/p11sak_defined_attrs.conf.5* %{_mandir}/man7/%{name}.7* @@ -391,6 +403,16 @@ fi %changelog +* Thu Jul 03 2025 Than Ngo - 3.25.0-1 +- Resolves: RHEL-85376, ep11 token: PKCS #11 3.0 - support SHA3 +- Resolves: RHEL-90589, CCA token: basic support of AES-GCM +- Resolves: RHEL-72964, cca token support cipher keys +- Resolves: RHEL-72968, Support for CKM_RSA_AES_KEY_WRAP for cca, ica and soft tokens +- Resolves: RHEL-73343, Upgrade openCryptoki to latest version +- Resolves: RHEL-75144, p11kmip: a tool to import/export PKCS #11 keys from to a KMIP server +- Resolves: RHEL-75761, ep11 token: import and export of secure key objects +- Resolves: RHEL-85374, cca token: Support ECDH to derive AES keys + * Wed Apr 09 2025 Than Ngo - 3.24.0-8 - Related: RHEL-77146, opencryptoki doesn't work in image mode diff --git a/sources b/sources index 8c1e220..863e35e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (opencryptoki-3.24.0.tar.gz) = 5a01c44cfd6b1a7021fabf5d0dda8871a8f569377f689109819c992fe4259764023bd76373b08040f1d01264567fceaeff2c43f2852c37f3a48450fe61c96ce7 +SHA512 (opencryptoki-3.25.0.tar.gz) = 33ea9e8b39812af96ca858e9584d4d494a3c6e3761f1cb96d32a9f781a4d1bbcae161d8c593603f6cb9f6ec01f6ac3c3fb1629673e38e716712f8afe7589a1a0