.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1 +1,4 @@
-SOURCES/opencryptoki-3.22.0.tar.gz
+SOURCES/opencryptoki-3.19.0.tar.gz
+/opencryptoki-3.19.0.tar.gz
+/opencryptoki-3.21.0.tar.gz
+/opencryptoki-3.22.0.tar.gz

3.22-CCA-Adjust-CCA-host-library-version-detection-for-ne.patch

@@ -0,0 +1,55 @@
+From 742463a3c5a25313ab7ceb578d81b9998db65f67 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 2 Apr 2025 16:36:45 +0200
+Subject: [PATCH] CCA: Adjust CCA host library version detection for newer CCA
+ versions
+
+Newer CCA versions might report the version string with CSUACFV or CSUACFQ
+with keyword STATCCA using a different indicator character after the version
+information. Ignore the indication character and the remaining data entirely.
+Only the version information as such is of interest.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ usr/lib/cca_stdll/cca_specific.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/usr/lib/cca_stdll/cca_specific.c b/usr/lib/cca_stdll/cca_specific.c
+index 80369248..08e794d0 100644
+--- a/usr/lib/cca_stdll/cca_specific.c
++++ b/usr/lib/cca_stdll/cca_specific.c
+@@ -751,7 +751,6 @@ static CK_RV cca_get_version(STDLL_TokData_t *tokdata)
+     long return_code, reason_code;
+     long version_data_length;
+     long exit_data_len = 0;
+-    char date[20];
+ 
+     /* Get CCA host library version */
+     version_data_length = sizeof(version_data);
+@@ -767,10 +766,10 @@ static CK_RV cca_get_version(STDLL_TokData_t *tokdata)
+     version_data[sizeof(version_data) - 1] = '\0';
+     TRACE_DEVEL("CCA Version string: %s\n", version_data);
+ 
+-    if (sscanf((char *)version_data, "%u.%u.%uz%s",
++    if (sscanf((char *)version_data, "%u.%u.%u",
+                &cca_private->cca_lib_version.ver,
+                &cca_private->cca_lib_version.rel,
+-               &cca_private->cca_lib_version.mod, date) != 4) {
++               &cca_private->cca_lib_version.mod) != 3) {
+         TRACE_ERROR("CCA library version is invalid: %s\n", version_data);
+         return CKR_FUNCTION_FAILED;
+     }
+@@ -3431,8 +3430,8 @@ static CK_RV cca_get_adapter_version(cca_min_card_version_t *data)
+     memcpy(ccaversion, &rule_array[CCA_STATCCA_CCA_VERSION_OFFSET],
+            CCA_STATCCA_CCA_VERSION_LENGTH);
+ 
+-    if (sscanf(ccaversion, "%d.%d.%02d*", (int *)&adapter_version.ver,
+-               (int *)&adapter_version.rel, (int *)&adapter_version.mod) != 3) {
++    if (sscanf(ccaversion, "%u.%u.%u", &adapter_version.ver,
++               &adapter_version.rel, &adapter_version.mod) != 3) {
+         TRACE_ERROR("sscanf of string %s failed, cannot determine CCA card version\n",
+                     ccaversion);
+         return CKR_FUNCTION_FAILED;
+-- 
+2.16.2.windows.1
+

CI_plan.fmf

@@ -0,0 +1,38 @@
+/tier1-tests-on-x86_64-with-swtok:
+
+  summary: opencryptoki Tier1 tests on x86_64 with swtok
+
+  tag:
+   - Tier1
+
+  discover:
+    url: https://gitlab.cee.redhat.com/rhel-tests/opencryptoki.git
+    filter: "tag:Tier1"
+    how: fmf
+    test:
+     - "Sanity/.*"
+     - "Regression/.*"
+
+  execute:
+    how: tmt
+
+/sw-token-package-update:
+
+  summary: perform opencryptoki package update on a configured SW token
+
+  prepare:
+   - how: shell
+     order: 90
+     script:
+      - dnf -y downgrade 'opencryptoki*'
+
+  discover:
+    url: https://gitlab.cee.redhat.com/rhel-tests/opencryptoki.git
+    how: fmf
+    test:
+      - /Update/initialized-sw-token/setup
+      - /Update/dnf-update-opencryptoki
+      - /Update/initialized-sw-token/test
+
+  execute:
+    how: tmt

gating.yaml

@@ -0,0 +1,7 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.openstack-tier1-gating.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.beaker-tier1-gating.functional}

opencryptoki.spec

@@ -1,7 +1,7 @@
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
 Version: 3.22.0
-Release: 3%{?dist}
+Release: 3%{?dist}.1
 License: CPL
 Group: System Environment/Base
 URL: https://github.com/opencryptoki/opencryptoki
@@ -21,6 +21,8 @@ Patch21: opencryptoki-CVE-2024-0914-part2.patch
 Patch22: opencryptoki-CVE-2024-0914-part3.patch
 Patch23: opencryptoki-CVE-2024-0914-part4.patch
 Patch24: opencryptoki-CVE-2024-0914-part5.patch
+# supporting CCA 8.4
+Patch25: 3.22-CCA-Adjust-CCA-host-library-version-detection-for-ne.patch
 
 Requires(pre): coreutils diffutils
 Requires: (selinux-policy >= 3.14.3-121 if selinux-policy-targeted)
@@ -381,6 +383,9 @@ fi
 
 
 %changelog
+* Mon Aug 11 2025 Than Ngo <than@redhat.com> - 3.22.0-3.1
+- Resolves: RHEL-105918, fix for supporting CCA 8.4
+
 * Fri Feb 16 2024 Than Ngo <than@redhat.com> - 3.22.0-3
 - Fix implicit rejection with RSA keys with empty CKA_PRIVATE_EXPONENT
 Related: RHEL-22791

sources

@@ -0,0 +1 @@
+SHA512 (opencryptoki-3.22.0.tar.gz) = 404b32b19ef70c3e971bf6dd918fa5fa23701eff591282330085b53491597a2fb5928f800110a28dbc8a22744e00477dadadedf5cea5503984078cad38c46b25