import opencryptoki-3.15.1-3.el8

.gitignore

@@ -0,0 +1 @@
+SOURCES/opencryptoki-3.15.1.tar.gz

.opencryptoki.metadata

@@ -0,0 +1 @@
+66baf9c90f144bb273964270a39f23fadd86143d SOURCES/opencryptoki-3.15.1.tar.gz

SOURCES/opencryptoki-3.11.0-group.patch

@@ -0,0 +1,31 @@
+diff -up opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in
+--- opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me	2019-01-31 10:42:23.325797012 +0100
++++ opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in	2019-01-31 10:52:17.585191667 +0100
+@@ -55,9 +55,11 @@ void *attach_shared_memory()
+     int shmid;
+     char *shmp;
+     struct stat statbuf;
++#if 0
+     struct group *grp;
+     struct passwd *pw, *epw;
+     uid_t uid, euid;
++#endif
+ 
+ #if !(MMAP)
+     // Really should fstat the tok_path, since it will be the actual
+@@ -69,6 +71,7 @@ void *attach_shared_memory()
+         return NULL;
+     }
+ 
++#if 0
+     uid = getuid();
+     euid = geteuid();
+     // only check group membership if not root user
+@@ -102,6 +105,7 @@ void *attach_shared_memory()
+             return NULL;
+         }
+     }
++#endif
+ 
+     Anchor->shm_tok = ftok(TOK_PATH, 'b');
+ 

SOURCES/opencryptoki-3.11.0-lockdir.patch

@@ -0,0 +1,12 @@
+diff -up opencryptoki-3.11.0/configure.ac.me opencryptoki-3.11.0/configure.ac
+--- opencryptoki-3.11.0/configure.ac.me	2019-01-30 17:10:19.660952694 +0100
++++ opencryptoki-3.11.0/configure.ac	2019-01-30 17:13:54.150089964 +0100
+@@ -62,7 +62,7 @@ AC_SUBST([OPENLDAP_LIBS])
+ 
+ dnl Define custom variables
+ 
+-lockdir=$localstatedir/lock/opencryptoki
++lockdir=/run/lock/opencryptoki
+ AC_SUBST(lockdir)
+ 
+ logdir=$localstatedir/log/opencryptoki

SOURCES/opencryptoki-3.15.1-error_message_handling_for_p11sak_remove-key_command.patch

@@ -0,0 +1,118 @@
+diff -up opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c.orig opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c
+--- opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c.orig	2020-11-26 13:25:41.679655774 +0100
++++ opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c	2020-11-26 13:26:00.170892352 +0100
+@@ -2192,10 +2192,8 @@ static CK_RV confirm_destroy(char **user
+     while (1){
+         nread = getline(user_input, &buflen, stdin);
+         if (nread == -1) {
+-            printf("User input failed (error code 0x%lX: %s)\n",
+-                    rc, p11_get_ckr(rc));
+-            rc = -1;
+-            return rc;
++            printf("User input: EOF\n");
++            return CKR_CANCEL;
+         }
+ 
+         if (user_input_ok(*user_input)) {
+@@ -2210,17 +2208,16 @@ static CK_RV confirm_destroy(char **user
+     return rc;
+ }
+ 
+-
+ static CK_RV finalize_destroy_object(char *label, CK_SESSION_HANDLE *session,
+-                                   CK_OBJECT_HANDLE *hkey)
++                                   CK_OBJECT_HANDLE *hkey, CK_BBOOL *boolDestroyFlag)
+ {
+     char *user_input = NULL;
+     CK_RV rc = CKR_OK;
+ 
+     rc = confirm_destroy(&user_input, label);
+     if (rc != CKR_OK) {
+-        printf("User input failed (error code 0x%lX: %s)\n",
+-                rc, p11_get_ckr(rc));
++        printf("Skip deleting Key. User input %s\n", p11_get_ckr(rc));
++        rc = CKR_CANCEL;
+         goto done;
+     }
+ 
+@@ -2232,9 +2229,11 @@ static CK_RV finalize_destroy_object(cha
+                    label, rc, p11_get_ckr(rc));
+             goto done;
+         }
++        *boolDestroyFlag = CK_TRUE;
+         printf("DONE - Destroy Object with Label: %s\n", label);
+     } else if (strncmp(user_input, "n", 1) == 0) {
+         printf("Skip deleting Key\n");
++        *boolDestroyFlag = CK_FALSE;
+     } else {
+         printf("Please just enter (y) for yes or (n) for no.\n");
+     }
+@@ -2254,6 +2253,8 @@ static CK_RV delete_key(CK_SESSION_HANDL
+     CK_OBJECT_HANDLE hkey;
+     char *keytype = NULL;
+     char *label = NULL;
++    CK_BBOOL boolDestroyFlag = CK_FALSE;
++    CK_BBOOL boolSkipFlag = CK_FALSE;
+     CK_RV rc = CKR_OK;
+ 
+     rc = tok_key_list_init(session, kt, label);
+@@ -2290,6 +2291,7 @@ static CK_RV delete_key(CK_SESSION_HANDL
+         if (*forceAll) {
+             if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) {
+                 printf("Destroy Object with Label: %s\n", label);
++
+                 rc = funcs->C_DestroyObject(session, hkey);
+                 if (rc != CKR_OK) {
+                     printf(
+@@ -2297,14 +2299,18 @@ static CK_RV delete_key(CK_SESSION_HANDL
+                             label, rc, p11_get_ckr(rc));
+                     goto done;
+                 }
+-                printf("DONE - Destroy Object with Label: %s\n", label);
++                boolDestroyFlag = CK_TRUE;
+             }
+         } else {
+             if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) {
+-                rc = finalize_destroy_object(label, &session, &hkey);
++                rc = finalize_destroy_object(label, &session, &hkey, &boolDestroyFlag);
+                 if (rc != CKR_OK) {
+                     goto done;
+                 }
++
++                if (!boolDestroyFlag) {
++                    boolSkipFlag = CK_TRUE;
++                }
+             }
+         }
+ 
+@@ -2321,6 +2327,16 @@ static CK_RV delete_key(CK_SESSION_HANDL
+ 
+ done:
+ 
++    if (strlen(rm_label) > 0) {
++        if (boolDestroyFlag) {
++            printf("Object with Label: %s found and destroyed \n", rm_label);
++        } else if (boolSkipFlag) {
++            printf("Object with Label: %s not deleted\n", rm_label);
++        } else if (rc == CKR_OK) {
++            printf("Object with Label: %s not found\n", rm_label);
++        }
++    }
++
+     if (rc != CKR_OK) {
+         free(label);
+         free(keytype);
+@@ -2494,8 +2510,11 @@ int main(int argc, char *argv[])
+     /* Execute command */
+     rc = execute_cmd(session, slot, cmd, kt, keylength, exponent, ECcurve,
+             label, attr_string, long_print, &forceAll);
+-    if (rc != CKR_OK) {
+-        printf("Failed to execute p11sak command (error code 0x%lX: %s)\n", rc,
++    if (rc == CKR_CANCEL) {
++        printf("Cancel execution: p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc,
++                p11_get_ckr(rc));
++    } else if (rc != CKR_OK) {
++        printf("Failed to execute p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc,
+                 p11_get_ckr(rc));
+         goto done;
+     }

SOURCES/opencryptoki-3.15.1-fix_compiling_with_c++.patch

@@ -0,0 +1,13 @@
+diff -up opencryptoki-3.15.1/usr/include/pkcs11types.h.me opencryptoki-3.15.1/usr/include/pkcs11types.h
+--- opencryptoki-3.15.1/usr/include/pkcs11types.h.me	2020-11-26 18:33:58.707979547 +0100
++++ opencryptoki-3.15.1/usr/include/pkcs11types.h	2020-11-26 18:35:22.428095872 +0100
+@@ -1483,7 +1483,7 @@ typedef CK_FUNCTION_LIST_3_0_PTR CK_PTR
+ 
+ typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_IBM_FUNCTION_LIST_1_0;
+ typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR;
+-typedef struct CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR;
++typedef CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR;
+ 
+ typedef CK_RV (CK_PTR CK_C_Initialize) (CK_VOID_PTR pReserved);
+ typedef CK_RV (CK_PTR CK_C_Finalize) (CK_VOID_PTR pReserved);
+diff -up opencryptoki-3.15.1/usr/sbin/pkcstok_migrate/pkcstok_migrate.c.me opencryptoki-3.15.1/usr/sbin/pkcstok_migrate/pkcstok_migrate.c

SOURCES/opencryptoki.module

@@ -0,0 +1,8 @@
+# This file describes how to load the opensc module
+# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
+
+# This is a relative path, which means it will be loaded from
+# the p11-kit default path which is usually $(libdir)/pkcs11.
+# Doing it this way allows for packagers to package opensc for
+# 32-bit and 64-bit and make them parallel installable
+module: libopencryptoki.so

SPECS/opencryptoki.spec

@@ -0,0 +1,624 @@
+Name:			opencryptoki
+Summary:		Implementation of the PKCS#11 (Cryptoki) specification v2.11
+Version:		3.15.1
+Release:		3%{?dist}
+License:		CPL
+Group:			System Environment/Base
+URL:			https://github.com/opencryptoki/opencryptoki
+Source0:		https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
+Source1:		opencryptoki.module
+# https://bugzilla.redhat.com/show_bug.cgi?id=732756
+Patch0:			opencryptoki-3.11.0-group.patch
+# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
+Patch1:			opencryptoki-3.11.0-lockdir.patch
+# upstream fixes
+# https://github.com/opencryptoki/opencryptoki/commit/eef7049ce857ee5d5ec64e369a10e05e8bb5c4dd
+Patch2:			opencryptoki-3.15.1-error_message_handling_for_p11sak_remove-key_command.patch
+# https://github.com/opencryptoki/opencryptoki/commit/2d16f003911ceee50967546f4b3c7cac2db9ba86
+Patch3:			opencryptoki-3.15.1-fix_compiling_with_c++.patch
+
+Requires(pre):		coreutils
+BuildRequires:		gcc
+BuildRequires:		openssl-devel
+BuildRequires:		trousers-devel
+BuildRequires:		openldap-devel
+BuildRequires:		autoconf automake libtool
+BuildRequires:		bison flex
+BuildRequires:		systemd
+BuildRequires:		libitm-devel
+%ifarch s390 s390x
+BuildRequires:		libica-devel >= 2.3
+%endif
+Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
+Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
+Requires:		%{name}(token)
+Requires(post):		systemd
+Requires(preun):	systemd
+Requires(postun):	systemd
+
+
+%description
+Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
+Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
+token implementation that can be used without any cryptographic
+hardware.
+This package contains the Slot Daemon (pkcsslotd) and general utilities.
+
+
+%package libs
+Group:			System Environment/Libraries
+Summary:		The run-time libraries for opencryptoki package
+Requires(pre):	shadow-utils
+
+%description libs
+Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
+Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
+token implementation that can be used without any cryptographic
+hardware.
+This package contains the PKCS#11 library implementation, and requires
+at least one token implementation (packaged separately) to be fully
+functional.
+
+
+%package devel
+Group:			Development/Libraries
+Summary:		Development files for openCryptoki
+Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
+
+%description devel
+This package contains the development header files for building
+opencryptoki and PKCS#11 based applications
+
+
+%package swtok
+Group:			System Environment/Libraries
+Summary:		The software token implementation for opencryptoki
+Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
+Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
+Provides:		%{name}(token)
+
+%description swtok
+Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
+Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
+token implementation that can be used without any cryptographic
+hardware.
+This package brings the software token implementation to use opencryptoki
+without any specific cryptographic hardware.
+
+
+%package tpmtok
+Group:			System Environment/Libraries
+Summary:		Trusted Platform Module (TPM) device support for opencryptoki
+Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
+Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
+Provides:		%{name}(token)
+
+%description tpmtok
+Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
+Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
+token implementation that can be used without any cryptographic
+hardware.
+This package brings the necessary libraries and files to support
+Trusted Platform Module (TPM) devices in the opencryptoki stack.
+
+
+%package icsftok
+Group:			System Environment/Libraries
+Summary:		ICSF token support for opencryptoki
+Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
+Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
+Provides:		%{name}(token)
+
+%description icsftok
+Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
+Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
+token implementation that can be used without any cryptographic
+hardware.
+This package brings the necessary libraries and files to support
+ICSF token in the opencryptoki stack.
+
+
+%ifarch s390 s390x
+%package icatok
+Group:			System Environment/Libraries
+Summary:		ICA cryptographic devices (clear-key) support for opencryptoki
+Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
+Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
+Provides:		%{name}(token)
+
+%description icatok
+Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
+Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
+token implementation that can be used without any cryptographic
+hardware.
+This package brings the necessary libraries and files to support ICA
+devices in the opencryptoki stack. ICA is an interface to IBM
+cryptographic hardware such as IBM 4764 or 4765 that uses the
+"accelerator" or "clear-key" path.
+
+%package ccatok
+Group:			System Environment/Libraries
+Summary:		CCA cryptographic devices (secure-key) support for opencryptoki
+Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
+Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
+Provides:		%{name}(token)
+
+%description ccatok
+Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
+Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
+token implementation that can be used without any cryptographic
+hardware.
+This package brings the necessary libraries and files to support CCA
+devices in the opencryptoki stack. CCA is an interface to IBM
+cryptographic hardware such as IBM 4764 or 4765 that uses the
+"co-processor" or "secure-key" path.
+
+%package ep11tok
+Group:			System Environment/Libraries
+Summary:		CCA cryptographic devices (secure-key) support for opencryptoki
+Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
+Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
+Provides:		%{name}(token)
+
+%description ep11tok
+Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
+Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
+token implementation that can be used without any cryptographic
+hardware.
+This package brings the necessary libraries and files to support EP11
+tokens in the opencryptoki stack. The EP11 token is a token that uses
+the IBM Crypto Express adapters (starting with Crypto Express 4S adapters)
+configured with Enterprise PKCS#11 (EP11) firmware.
+%endif
+
+
+%prep
+%autosetup -p1
+
+
+%build
+./bootstrap.sh
+
+%configure --with-systemd=%{_unitdir}	\
+%ifarch s390 s390x
+    --enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate
+%else
+    --disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate --disable-pkcscca_migrate
+%endif
+
+make %{?_smp_mflags} CHGRP=/bin/true
+
+
+%install
+make install DESTDIR=$RPM_BUILD_ROOT CHGRP=/bin/true
+install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opencryptoki.module
+
+# Remove unwanted cruft
+rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.la
+rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/stdll/*.la
+
+
+%post libs -p /sbin/ldconfig
+%post swtok -p /sbin/ldconfig
+%post tpmtok -p /sbin/ldconfig
+%post icsftok -p /sbin/ldconfig
+%ifarch s390 s390x
+%post icatok -p /sbin/ldconfig
+%post ccatok -p /sbin/ldconfig
+%post ep11tok -p /sbin/ldconfig
+%endif
+
+%postun libs -p /sbin/ldconfig
+%postun swtok -p /sbin/ldconfig
+%postun tpmtok -p /sbin/ldconfig
+%postun icsftok -p /sbin/ldconfig
+%ifarch s390 s390x
+%postun icatok -p /sbin/ldconfig
+%postun ccatok -p /sbin/ldconfig
+%postun ep11tok -p /sbin/ldconfig
+%endif
+
+%pre libs
+getent group pkcs11 >/dev/null || groupadd -r pkcs11
+exit 0
+
+%post
+%systemd_post pkcsslotd.service
+if test $1 -eq 1; then
+    %tmpfiles_create
+fi
+
+%preun
+%systemd_preun pkcsslotd.service
+
+%postun
+%systemd_postun_with_restart pkcsslotd.service
+
+
+%files
+%doc ChangeLog FAQ README.md
+%doc doc/opencryptoki-howto.md
+%doc doc/README.token_data
+%dir %{_sysconfdir}/%{name}
+%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
+%{_tmpfilesdir}/%{name}.conf
+%{_unitdir}/pkcsslotd.service
+%{_sbindir}/p11sak
+%{_sbindir}/pkcstok_migrate
+%{_sbindir}/pkcsconf
+%{_sbindir}/pkcsslotd
+%{_mandir}/man1/p11sak.1*
+%{_mandir}/man1/pkcstok_migrate.1*
+%{_mandir}/man1/pkcsconf.1*
+%{_mandir}/man5/%{name}.conf.5*
+%{_mandir}/man7/%{name}.7*
+%{_mandir}/man8/pkcsslotd.8*
+%{_libdir}/opencryptoki/methods
+%{_libdir}/pkcs11/methods
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
+%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}
+%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/*
+%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
+
+%files libs
+%license LICENSE
+%{_sysconfdir}/ld.so.conf.d/*
+# Unversioned .so symlinks usually belong to -devel packages, but opencryptoki
+# needs them in the main package, because:
+#   documentation suggests that programs should dlopen "PKCS11_API.so".
+%dir %{_libdir}/opencryptoki
+%{_libdir}/opencryptoki/libopencryptoki.*
+%{_libdir}/opencryptoki/PKCS11_API.so
+%dir %{_libdir}/opencryptoki/stdll
+%dir %{_libdir}/pkcs11
+%{_libdir}/pkcs11/libopencryptoki.so
+%{_libdir}/pkcs11/PKCS11_API.so
+%{_libdir}/pkcs11/stdll
+# Co-owned with p11-kit
+%dir %{_datadir}/p11-kit/
+%dir %{_datadir}/p11-kit/modules/
+%{_datadir}/p11-kit/modules/opencryptoki.module
+
+%files devel
+%{_includedir}/%{name}/
+
+%files swtok
+%{_libdir}/opencryptoki/stdll/libpkcs11_sw.*
+%{_libdir}/opencryptoki/stdll/PKCS11_SW.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
+
+%files tpmtok
+%doc doc/README.tpm_stdll
+%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
+%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
+
+%files icsftok
+%doc doc/README.icsf_stdll
+%{_sbindir}/pkcsicsf
+%{_mandir}/man1/pkcsicsf.1*
+%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
+%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
+
+%ifarch s390 s390x
+%files icatok
+%{_libdir}/opencryptoki/stdll/libpkcs11_ica.*
+%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
+
+%files ccatok
+%doc doc/README.cca_stdll
+%{_sbindir}/pkcscca
+%{_mandir}/man1/pkcscca.1*
+%{_libdir}/opencryptoki/stdll/libpkcs11_cca.*
+%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
+
+%files ep11tok
+%doc doc/README.ep11_stdll
+%config(noreplace) %{_sysconfdir}/%{name}/ep11tok.conf
+%config(noreplace) %{_sysconfdir}/%{name}/ep11cpfilter.conf
+%{_sbindir}/pkcsep11_migrate
+%{_sbindir}/pkcsep11_session
+%{_mandir}/man1/pkcsep11_migrate.1*
+%{_mandir}/man1/pkcsep11_session.1*
+%{_libdir}/opencryptoki/stdll/libpkcs11_ep11.*
+%{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/
+%endif
+
+
+%changelog
+* Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-3
+- Resolves: #1902022
+   Fix compiling with c++
+   Added error message handling for p11sak remove-key command
+
+* Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-2
+- Related: #1847433, Added error message handling for p11sak remove-key command
+
+* Mon Nov 02 2020 Than Ngo <than@redhat.com> - 3.15.1-1
+- Related: #1847433
+  upstream fixes:
+    - Free generated key in all error cases
+    - CCA: Zeroize key buffer to avoid CCA 8/32 error
+    - Do not delete the map-btree entry if destroying an object is not allowed
+    - Remove now unused header timeb.h
+    - TESTCASES: Use FIPS conforming keys for 3DES CBC-MAC test vectors
+    - Fix buffer overrun in C_CopyObject
+    - TPM: Fix double free in openssl_gen_key
+
+* Mon Oct 19 2020 Than Ngo <than@redhat.com> - 3.15.0-1
+- Resolves: #1847433, rebase to 3.15.0 
+- Resolves: #1851105, PKCS #11 3.0 - baseline provider support
+- Resolves: #1851108, openCryptoki ep11 token: enhanced functionality
+- Resolves: #1851109, openCryptoki key management tool: key deletion function
+
+* Mon Jul 06 2020 Than Ngo <than@redhat.com> - 3.14.0-5
+- Related: #1853420, more fixes
+
+* Fri Jul 03 2020 Than Ngo <than@redhat.com> - 3.14.0-4
+- Resolves: #1853420, endian issue 
+
+* Mon Jun 15 2020 Than Ngo <than@redhat.com> - 3.14.0-3
+- Resolves: #1780294, PIN conversion tool
+
+* Tue May 26 2020 Than Ngo <than@redhat.com> - 3.14.0-2
+- Related: #1780293, fix regression, segfault in C_SetPin
+
+* Tue May 19 2020 Than Ngo <than@redhat.com> - 3.14.0-1
+- Resolves: #1723863 - ep11 token: Enhanced Support
+- Resolves: #1780285 - ep11 token: Support for new IBM Z hardware z15
+- Resolves: #1780293 - rebase to 3.14.0
+- Resolves: #1800549 - key management tool: list keys function
+ -Resolves: #1800555 - key management tool: random key generation function
+
+* Fri Dec 13 2019 Than Ngo <than@redhat.com> - 3.12.1-2
+- Resolves: #1782445, EP11: Fix EC-uncompress buffer length
+
+* Thu Nov 28 2019 Than Ngo <than@redhat.com> - 3.12.1-1
+- Resolves: #1777313, rebase to 3.12.1
+
+* Tue Nov 12 2019 Than Ngo <than@redhat.com> - 3.12.0-1
+- Resolves: #1726243, rebase to 3.12.0
+
+* Mon Aug 26 2019 Dan Horák <dhorak@redhat.com> - 3.11.1-2
+- Resolves: #1739433, ICA HW token missing after the package update
+
+* Mon May 06 2019 Than Ngo <than@redhat.com> - 3.11.1-1
+- Resolves: #1706140, rebase to 3.11.1
+
+* Tue Mar 26 2019 Than Ngo <than@redhat.com> - 3.11.0-3
+- Resolves: #1667941, 3des tests failures due to FIPS incompatible test scenarios
+- Resolves: #1651731, ep11 token: enhanced IBM z14 functions
+- Resolves: #1651732, ep11 token: support m_*Single functions from ep11 lib
+- Resolves: #1525407, use CPACF hashes in ep11 token
+- Resolves: #1651238, rebase to 3.11.0
+- Resolves: #1682530, gating
+
+* Fri Dec 14 2018 Than Ngo <than@redhat.com> - 3.10.0-3
+- Resolves: #1657683, can't establish libica token in FIPS mode
+- Resolves: #1652856, EP11 token fails when using Strict-Session mode or VHSM-Mode
+
+* Thu Oct 25 2018 Than Ngo <than@redhat.com> - 3.10.0-2
+- Resolves: #1602641, covscan
+
+* Tue Jun 12 2018 Dan Horák <dan[at]danny.cz> - 3.10.0-1
+- Rebase to 3.10.0
+
+* Fri Feb 23 2018 Dan Horák <dan[at]danny.cz> - 3.9.0-1
+- Rebase to 3.9.0
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.8.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Nov 24 2017 Dan Horák <dan[at]danny.cz> - 3.8.2-2
+- use upstream tmpfiles config
+
+* Thu Nov 23 2017 Dan Horák <dan[at]danny.cz> - 3.8.2-1
+- Rebase to 3.8.2 (#1512678)
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed May 17 2017 Sinny Kumari <sinny@redhat.com> - 3.7.0-1
+- Rebase to 3.7.0
+- Added libitm-devel as BuildRequires
+
+* Mon Apr 03 2017 Sinny Kumari <sinny@redhat.com> - 3.6.2-1
+- Rebase to 3.6.2
+- RHBZ#1424017 - opencryptoki: FTBFS in rawhide
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Sep 01 2016 Jakub Jelen <jjelen@redhat.com> - 3.5.1-1
+- New upstream release
+
+* Tue May 03 2016 Jakub Jelen <jjelen@redhat.com> - 3.5-1
+- New upstream release
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Mon Dec 07 2015 Jakub Jelen <jjelen@redhat.com> 3.4.1-1
+- New bugfix upstream release
+
+* Wed Nov 18 2015 Jakub Jelen <jjelen@redhat.com> 3.4-1
+- New upstream release
+- Adding post-release patch fixing compile warnings
+
+* Thu Aug 27 2015 Jakub Jelen <jjelen@redhat.com> 3.3-1.1
+- New upstream release
+- Correct dependencies for group creation
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Thu May 07 2015 Jakub Jelen <jjelen@redhat.com> 3.2-3
+- Few more undefined symbols fixed for s390(x) specific targets
+- Do not require --no-undefined, because s390(x) requires some
+
+* Mon May 04 2015 Jakub Jelen <jjelen@redhat.com> 3.2-2
+- Fix missing sources and libraries in makefiles causing undefined symbols (#1193560)
+- Make inline function compatible for GCC5
+
+* Wed Sep 10 2014 Petr Lautrbach <plautrba@redhat.com> 3.2-1
+- new upstream release 3.2
+- add new sub-package opencryptoki-ep11tok on s390x
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Thu Jul 24 2014 Petr Lautrbach <plautrba@redhat.com> 3.1-1
+- new upstream release 3.1
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Mon Feb 17 2014 Petr Lautrbach <plautrba@redhat.com> 3.0-10
+- create the right lock directory for cca tokens (#1054442)
+
+* Wed Jan 29 2014 Petr Lautrbach <plautrba@redhat.com> 3.0-9
+- use Requires(pre): opencryptoki-libs for subpackages
+
+* Mon Jan 20 2014 Dan Horák <dan[at]danny.cz> - 3.0-8
+- include token specific directories (#1013017, #1045775, #1054442)
+- fix pkcsconf crash for non-root users (#10054661)
+- the libs subpackage must care of creating the pkcs11 group, it's the first to be installed
+
+* Tue Dec 03 2013 Dan Horák <dan[at]danny.cz> - 3.0-7
+- fix build with -Werror=format-security (#1037228)
+
+* Fri Nov 22 2013 Dan Horák <dan[at]danny.cz> - 3.0-6
+- apply post-3.0 fixes (#1033284)
+
+* Tue Nov 19 2013 Dan Horák <dan[at]danny.cz> - 3.0-5
+- update opencryptoki man page (#1001729)
+
+* Fri Aug 23 2013 Dan Horák <dan[at]danny.cz> - 3.0-4
+- update unit file (#995002)
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Tue Jul 23 2013 Dan Horák <dan[at]danny.cz> - 3.0-2
+- update pkcsconf man page (#948460)
+
+* Mon Jul 22 2013 Dan Horák <dan[at]danny.cz> - 3.0-1
+- new upstream release 3.0
+
+* Tue Jun 25 2013 Dan Horák <dan[at]danny.cz> - 2.4.3.1-1
+- new upstream release 2.4.3.1
+
+* Fri May 03 2013 Dan Horák <dan[at]danny.cz> - 2.4.3-1
+- new upstream release 2.4.3
+
+* Thu Apr 04 2013 Dan Horák <dan[at]danny.cz> - 2.4.2-4
+- enable hardened build
+- switch to systemd macros in scriptlets (#850240)
+
+* Mon Jan 28 2013 Dan Horák <dan[at]danny.cz> - 2.4.2-3
+- add virtual opencryptoki(token) Provides to token modules and as Requires
+  to main package (#904986)
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Thu Jun 21 2012 Dan Horák <dan[at]danny.cz> - 2.4.2-1
+- new upstream release 2.4.2
+- add pkcs_slot man page
+- don't add root to the pkcs11 group
+
+* Mon Jun 11 2012 Dan Horák <dan[at]danny.cz> - 2.4.1-2
+- fix unresolved symbols in TPM module (#830129)
+
+* Sat Feb 25 2012 Dan Horák <dan[at]danny.cz> - 2.4.1-1
+- new upstream release 2.4.1
+- convert from initscript to systemd unit
+- import fixes from RHEL-6 about root's group membership (#732756, #730903)
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Thu Jul 07 2011 Dan Horák <dan[at]danny.cz> - 2.4-1
+- new upstream release 2.4
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Mon Jan 17 2011 Dan Horák <dan[at]danny.cz> 2.3.3-1
+- new upstream release 2.3.3
+
+* Tue Nov 09 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.2-2
+- Apply Obsoletes to package names, not provides.
+
+* Tue Sep 14 2010 Dan Horák <dan[at]danny.cz> 2.3.2-1
+- new upstream release 2.3.2
+- put STDLLs in separate packages to match upstream package design
+
+* Thu Jul 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-7
+- Move the LICENSE file to the -libs subpackage.
+
+* Tue Jun 29 2010 Dan Horák <dan[at]danny.cz> 2.3.1-6
+- rebuilt with CCA enabled (#604287)
+- fixed issues from #546274
+
+* Fri Apr 30 2010 Dan Horák <dan[at]danny.cz> 2.3.1-5
+- fixed one more issue in the initscript (#547324)
+
+* Mon Apr 26 2010 Dan Horák <dan[at]danny.cz> 2.3.1-4
+- fixed pidfile creating and usage (#547324)
+
+* Mon Feb 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-3
+- Also list 'reload' and 'force-reload' in "Usage: ...".
+
+* Mon Feb 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-2
+- Support 'force-reload' in the initscript.
+
+* Wed Jan 27 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-1
+- New upstream release 2.3.1.
+- opencryptoki-2.3.0-fix-nss-breakage.patch was merged.
+
+* Fri Jan 22 2010 Dan Horák <dan[at]danny.cz> 2.3.0-5
+- made pkcsslotd initscript LSB compliant (#522149)
+
+* Mon Sep 07 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-4
+- Added opencryptoki-2.3.0-fix-nss-breakage.patch on upstream request.
+
+* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 2.3.0-3
+- rebuilt with new openssl
+
+* Sun Aug 16 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-2
+- Require libica-2.0.
+
+* Fri Aug 07 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-1
+- New upstream release 2.3.0:
+  - adds support for RSA 4096 bit keys in the ICA token.
+
+* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-5
+- Require arch-specific dependency on -libs.
+
+* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-4
+- Return support for crypto hw on s390.
+- Renamed to opencryptoki.
+- Simplified multilib by putting libs in subpackage as suggested by Dan Horák.
+
+* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-2
+- Fedora package based on RHEL-5 package.